So when a burglar kicks in my door, do the police blame me for not having a “good enough” lock? The whole concept of cyber liability is flawed. Just because the cops can’t be bothered to go after these hackers doesn’t mean the blame for their crimes should fall on their victims. If a company doesn’t protect its data at all, I can see where they would be liable, but if they have passwords, virus programs, and so forth why should they be blamed because a criminal defeats those measures?
Law enforcement should be treating these hacks as serious crimes and there should be laws passed to protect business against cyber liability claims when some crook defeats their security. We need to stop holding the victim of the hack responsible and go after the hackers.
I guess that I read this article a little differently than you. We are not doing everything that we can to prevent cyber crime. I agree that insurance is for this type of event. I don’t have a problem with the laws, but I could not agree more with your statement about law enforcement. Why have they not gone after this more aggressively? If this has been pursued aggressively by law, it does not appear that way. I see this in the same way as you on some levels. Let us establish what are good prevention factors and practices. If a customer does not practice any of them, perhaps coverage should be denied. If a customer practices some, they get coverage, but with a higher rate as any less attractive insured would get. Best rates could go to those who embrace and enforce the best practices to prevent losses.
Regarding the law enforcement silver bullet that seems to be the “problem”… it doesn’t exist.
The door and not the lock on the house is more the example or the door on the car. If a thief reaches in to a car with an open window or the thief simply opens the front door, it’s not about “fault” or “blame”. It’s about ignorance and apathy. A professional thief will always find a way when money is the driver.
Let’s rewind about forty years, or just ten for that matter. How much do each of you think the “standard” crime rates have gone down in your town/city? I doubt it has gone down at all.
So today the world opens its city gates to the rest of the world and is no longer dealing with the local criminals (some of those repeats), it now has to deal with unseen criminals from anywhere on the planet.
How do you throw a man-power number at the local mayor or chief to resolve that issue and who isn’t complaining when the taxes raise to pay for they need?
Additionally, the average pay for law enforcement is nowhere near that of a good cyber professional. I don’t care if you are a local, state or federal officer, the pay is significantly higher in the private sector – period.
Who really believes that anyone would want to be in law enforcement (especially today) and be required to have a four year degree, certifications and everything needed to be a cyber warrior?
Okay, if you don’t agree with that, at least in part… think of this… there’s no US law enforcement officer that has international authority.
Yes, the FBI works with MI-6 and INTERPOL and yadda, yadda… but that’s not the rule, that’s the exception. No agency is going to spend hundreds of thousands to millions of dollars to nab the average cyber criminal. Do you think Russia or China are going to extradite these people – not hardly.
Cyber insurance is a stop-gap and it is needed.
One last question… what if your insurance stated that even though your car door was locked, you parked in a lighted garage, there were police on patrol and your car was stolen. Would you blame the police, would you blame the individual or car manufacturer? You should be blaming the thief and trying to keep that same attack from happening again.
Just my opinion.
I am reading the article perhaps a bit different than others. Despite its title, it seems to conclude what we would all agree is obvious. Insurance is not (nor ever was suppose to be) the “only answer”. It is simply an essential part of the answer, i.e. an essential part of an overall risk management strategy which must include good cyber security.
In more detail, my conclusions on the article are:
The title is misleading as it implies (and has been interpreted by some) to be a criticism of cyber insurance and even a suggestion not to buy it. The full article indicates that this is not accurate.
The article presents three “facts” and five “conclusions”. I agree with the facts and four (more or less) of the four conclusions.
Facts: (1) Data breaches are getting more expensive- probably true. (2) Cyber crime (whatever that means) is costing companies more money – probably true. (3) Demand for cyber insurance is increasing – almost certainly true.
Conclusions: (1) Insurance deals with the financial consequences of an event not its causes — True in the strictest sense of the phrase, but, in reality, the ability to qualify forinsurance, including cyber insurance, deals fundamentally with understanding and risk managing against the causes of the insured peril, i.e. successful cyber attack. (2) Governmental partnership is a necessary element of the solution- True. The private cyber insurance market can only do so much. The federal government has a role to play as “reinsurer of last resort” when it comes to massive sophisticated attack against our critical infrastructure by hostile nation states for international cyber terrorist organizations. They have yet to do their part. (3) Similarly, the government should create rules to obligate companies to disclose their cyber preparedness- True and already occurred in a major way, see SEC Disclosure Guidance Report issued in December 2011. Now the SEC need to start its enforcement action based on the report. (4) It is easier to buy insurance than to have good security – NOT TRUE. Folks that do not have good security do not qualify for insurance. That is the essence (and the need) for underwriting. And finally (5) AND MOST IMPORTANTLY: Insurance is not the “only answer” – True. Insurance is, and never was, the “only answer”, just a necessary part of the answer. Thus, just like we must both have a locked door on our homes as well as buy homeowner’s insurance, so true is the fact that we must have good cyber security as well as buy cyber insurance.
Bottom line. This article says the obvious. Good cyber risk management includes good security accompanied by the purchase of insurance.
So when a burglar kicks in my door, do the police blame me for not having a “good enough” lock? The whole concept of cyber liability is flawed. Just because the cops can’t be bothered to go after these hackers doesn’t mean the blame for their crimes should fall on their victims. If a company doesn’t protect its data at all, I can see where they would be liable, but if they have passwords, virus programs, and so forth why should they be blamed because a criminal defeats those measures?
Law enforcement should be treating these hacks as serious crimes and there should be laws passed to protect business against cyber liability claims when some crook defeats their security. We need to stop holding the victim of the hack responsible and go after the hackers.
I guess that I read this article a little differently than you. We are not doing everything that we can to prevent cyber crime. I agree that insurance is for this type of event. I don’t have a problem with the laws, but I could not agree more with your statement about law enforcement. Why have they not gone after this more aggressively? If this has been pursued aggressively by law, it does not appear that way. I see this in the same way as you on some levels. Let us establish what are good prevention factors and practices. If a customer does not practice any of them, perhaps coverage should be denied. If a customer practices some, they get coverage, but with a higher rate as any less attractive insured would get. Best rates could go to those who embrace and enforce the best practices to prevent losses.
Regarding the law enforcement silver bullet that seems to be the “problem”… it doesn’t exist.
The door and not the lock on the house is more the example or the door on the car. If a thief reaches in to a car with an open window or the thief simply opens the front door, it’s not about “fault” or “blame”. It’s about ignorance and apathy. A professional thief will always find a way when money is the driver.
Let’s rewind about forty years, or just ten for that matter. How much do each of you think the “standard” crime rates have gone down in your town/city? I doubt it has gone down at all.
So today the world opens its city gates to the rest of the world and is no longer dealing with the local criminals (some of those repeats), it now has to deal with unseen criminals from anywhere on the planet.
How do you throw a man-power number at the local mayor or chief to resolve that issue and who isn’t complaining when the taxes raise to pay for they need?
Additionally, the average pay for law enforcement is nowhere near that of a good cyber professional. I don’t care if you are a local, state or federal officer, the pay is significantly higher in the private sector – period.
Who really believes that anyone would want to be in law enforcement (especially today) and be required to have a four year degree, certifications and everything needed to be a cyber warrior?
Okay, if you don’t agree with that, at least in part… think of this… there’s no US law enforcement officer that has international authority.
Yes, the FBI works with MI-6 and INTERPOL and yadda, yadda… but that’s not the rule, that’s the exception. No agency is going to spend hundreds of thousands to millions of dollars to nab the average cyber criminal. Do you think Russia or China are going to extradite these people – not hardly.
Cyber insurance is a stop-gap and it is needed.
One last question… what if your insurance stated that even though your car door was locked, you parked in a lighted garage, there were police on patrol and your car was stolen. Would you blame the police, would you blame the individual or car manufacturer? You should be blaming the thief and trying to keep that same attack from happening again.
Just my opinion.
I am reading the article perhaps a bit different than others. Despite its title, it seems to conclude what we would all agree is obvious. Insurance is not (nor ever was suppose to be) the “only answer”. It is simply an essential part of the answer, i.e. an essential part of an overall risk management strategy which must include good cyber security.
In more detail, my conclusions on the article are:
The title is misleading as it implies (and has been interpreted by some) to be a criticism of cyber insurance and even a suggestion not to buy it. The full article indicates that this is not accurate.
The article presents three “facts” and five “conclusions”. I agree with the facts and four (more or less) of the four conclusions.
Facts: (1) Data breaches are getting more expensive- probably true. (2) Cyber crime (whatever that means) is costing companies more money – probably true. (3) Demand for cyber insurance is increasing – almost certainly true.
Conclusions: (1) Insurance deals with the financial consequences of an event not its causes — True in the strictest sense of the phrase, but, in reality, the ability to qualify forinsurance, including cyber insurance, deals fundamentally with understanding and risk managing against the causes of the insured peril, i.e. successful cyber attack. (2) Governmental partnership is a necessary element of the solution- True. The private cyber insurance market can only do so much. The federal government has a role to play as “reinsurer of last resort” when it comes to massive sophisticated attack against our critical infrastructure by hostile nation states for international cyber terrorist organizations. They have yet to do their part. (3) Similarly, the government should create rules to obligate companies to disclose their cyber preparedness- True and already occurred in a major way, see SEC Disclosure Guidance Report issued in December 2011. Now the SEC need to start its enforcement action based on the report. (4) It is easier to buy insurance than to have good security – NOT TRUE. Folks that do not have good security do not qualify for insurance. That is the essence (and the need) for underwriting. And finally (5) AND MOST IMPORTANTLY: Insurance is not the “only answer” – True. Insurance is, and never was, the “only answer”, just a necessary part of the answer. Thus, just like we must both have a locked door on our homes as well as buy homeowner’s insurance, so true is the fact that we must have good cyber security as well as buy cyber insurance.
Bottom line. This article says the obvious. Good cyber risk management includes good security accompanied by the purchase of insurance.