FTFY
buyers will have templates explaining what they need to buy to demonstrably reduce risk which vendors are paying insurers to promote their products from their marketing budgets.
Global mega-insurers Allianz and Aon have just given IT buyers and the security industry plenty to ponder by cooking up a deal with Apple and Cisco that makes users of those companies’ kit eligible for a special class of cyber insurance. Part of the new deal is business as usual, as it will see “Aon cyber security …
Except, you have to remember the Insurance companies are putting their own money on the line by offering lower premiums if you use those products. If they offer you a lower premium for using a product that is bad, it will come back and bite them in their wallet costing them much more than whatever they would be paid by the vendor. This is not like Gartner who makes recommendations with no skin in the game. I'm not saying their recommendations will be 100% correct; but, they have too much of their own money at stake to simply sell a spot on their preferred list.
Another point is that if you follow the insurance template and suffer a major mischief due to a design flaw sufficient to sue Apple or Cisco for - a la use of Intel CPU's - then the insurance company will get added to the suit. Insurance companies forte is managing risk. I would thus want to have my flinty eyed lawyers and accountants review their endorsements to understand what constitutes an act of a vengeful digital deity that the insurance company absolves its responsibility for.
If you buy fire insurance it is pretty easy to evaluate how a building complies with code, how well the occupants comply with code, what materials it is constructed from, if it has fire suppression, if it has an alarm, what the typical response time of the local fire department is, etc.
If you buy insurance against getting hacked, there is a loose list of "best practices" - many of which haven't been updated since the 90s and are so obsolete as to be counterproductive - and you have to actually do all the things your policies say you're going to do or they are worthless (like keeping current on patches) One employee getting phished can let an attacker inside and all your perimeter defenses are worthless, you may have intrusion detection but 99% of the time it is either so noisy real alerts are missed or so many alerts have been shut off to keep it from being noisy that real alerts are suppressed, and the intruder goes unnoticed.
If your business is struggling and you set fire to the place there are decades of practice in forensic fire examination that has a good chance of proving it was arson. If you set yourself up to get hacked by someone halfway around the world to collect on the insurance money, good luck to your carrier being able to prove it.
First, try getting this cover for a reasonable premium.
Second, read the small print.
Third, insurers won't offer cover if they can't make money.
Insurance is a protection against financial loss. The insurer will insist on minimum standards which will improve the protection levels. The no claims discount will be an interesting calculation.
My coat is the one with the actuarial tables in it.
Um, most of the things you mention are good reasons why having an outside insurance agent to force you to comply with best practices is a good thing, tbh.
Keeping current on patches? Something we're always complaining ought to be in place, and roundly mock any company which is hacked for failing to do so.
One employee getting phished? Forces you to keep your anti-phishing training and automated email filters up to date and to enforce least privilege properly. If Susie in the call centre can't access anything, her being phished doesn't matter.
IDS having all it's alerts switched off? Not something that ought to be happening either.
Many of these things are areas IT and IS have spent years trying to push companies toward, but companies themselves have failed to see any reason to do so. Having an insurance company demand compliance to provide coverage may actually make C-suite or board members take it a bit more seriously.
> worthless (like keeping current on patches)
Whilst some outdated security practices are worthless - like password complexity tests plus repeated password changes - keeping current on patches is definitely not.
If your OS or applications have known holes, they *are* going to get exploited sooner or later.
> One employee getting phished can let an attacker inside and all your perimeter defenses are worthless
That's really just saying "perimeter defenses are worthless", which is indeed true.
See Google's "BeyondCorp" paper for a better way of doing it. Basically: don't trust anything inside the network any more than you trust the outside. All apps must validate both the device and the end user (or sit behind a proxy which does that). And all devices must prove they have been locked down and are fully patched.
I agree. Insurance companies charging extra for poor security is a good thing, as above, it may actually get the C-suites to reduce their rectal-cranial inversions.
However, mandating certain brands for the discount seems awfully prone to back-handers, overlooking niche players, and a ramping up of the inverse-hammer fallacy (Hammer Fallacy: If all you have is a hammer, every problem looks like a nail; Inverted: If we don't have the solution, it is obviously not a problem.). EG: Getting a Cisco Firewall approved instead of <OtherBrand> that has features that are needed for the site, thus reducing security and effectiveness.
After the Great Fire of London, the reinsurance companies refused to issue policies to insurance companies that were overly exposed to wooden structures.
Here in the US, insurers got so tired of dodgy electrical appliances that they formed a group to inspect and recommend them--"Underwriter's Laboratory", also known as "UL".
So it's not a surprise that the insurers are taking this sort of step. The surprise is that they are recommending Cisco. Ahh, well. That's what bankruptcies are for...
In my world, MSFT and Adobe dominate markets while not getting security right. Not sure about Cisco, but Apple has indeed a record of serious measures towards security.
For example they encourage (force ?) developers to sandbox their apps, which is much better than what MSFT does: google "Apple App Sandbox in Depth"
Of course they also have issues, but at least they appear to work on systemic fixes instead of just more band-aids.