A few days ago @Wh1t3Rabbit @dearestleader @DFIR_Janitor and I had a nice little conversation about insurance companies and Information Security with regards to breaches and how companies handle the potential risks. We already have red-teamers that are tasked with doing risk compliance testing for companies and now it seems that the blue-teamers are going to be dragged into being the “adjusters” in this new realm of cyber-insurance. (to be fair to the others, I will take responsibility for this post just in case it fails utterly, their good names won't be besmirched, but if they agree, even better!)
Now the article I am going to cite does not come out and say this, but this would of course be the natural progression, in my humble opinion. So without commenting any further, here is the article from ZDNET to which I am referring: http://www.zdnet.com/police-cant-stop-cybercrimals-but-maybe-insurers-can-7000035514/
Of particular note are the following quotes:
“Encouraging the creation of an insurance market for online crimes could help enforce standards of security, just as home insurers insist on a particular type of locks on doors and windows before they will agree a policy. This makes it harder for burglars to break in as well as potentially reduces the burden on the police.”
OK, so from this we can glean that, if insurers are involved, upper management might buy into more stringent security measures because it will save them money? Really, well if they would invest and promote the best practices in security to begin with, then they wouldn't need insurance in the first place, right? Also, this begs the question, which “lock” would be the preferred lock, opening an avenue that only “insurance” approved security appliances can be used in a system?
And it continues:
”The government argues that insurers are in a good position to encourage businesses - small ones especially - to improve their cybersecurity by asking tough questions about their breach and operational risk policies.”
Again, really, it takes insurers to encourage this? I’ll say it again, this is the job of the C-level folk to make this happen not some third party that will make money off a lazy corporate security climate, regardless of a breach. Think about it this way, a bank’s physical location might be insured but they spend a hell of a lot of money on security, not to mention those large and very expensive vaults that are installed at every location. Hell, it’s easier to break into a banks IT infrastructure than it is to literally rob a bank (and get away with a respectable amount of money). Let that sink in for a minute…
To their credit, there is a somewhat sane response in the article:
“Whilst insurance offers financial protection to businesses, it does not incentivize businesses to invest in enhancing their cyber security defenses."
However, the paragraph continues down the spending the money trail with this:
“He said organizations that demonstrate good cybersecurity should be rewarded through lower premiums, adding: "This would align to steps taken by insurers offering protection against wider business interruption and ensure that such risks were being appropriately managed by businesses and not just managed through insurance coverage.”
Which looks good in print, but sounds to me like this is compliance taken to the next level instead of truly focusing on the real issues; creating and maintaining a stalwart security posture, instead of just adding another level of “bandages” into the mix.
So, is everyone ready to work for an insurance company?