Assessing the value of cyber-insurance

A good policy would be welcome if a data breach ever hit our manager's company, but what constitutes a good policy?

I've ventured into new territory lately: cyber-insurance. Here's why.

Hotel chains. Zoo gift shops. Amusement parks. Our own U.S. government's Office of Personnel Management. Security breaches continue to abound, apparently undiminished. And they are all over the news, which is causing me no end of headaches at work (especially with the overly dramatic coverage the network news provides). Just today, Trump Properties announced a security breach that compromised credit card numbers, with a particularly telling statement: "Like virtually every other company these days, we have been alerted to potential suspicious credit card activity and are in the midst of a thorough investigation." "Like virtually every other company" -- except mine, as long as I can prevent us from being a victim like all the others.

Every time one of these breaches hits the news, I get interrogated by my company's board and senior management. What are we doing to protect ourselves? Are we doing enough to avoid being a victim? And lately, I've been getting asked, "If the U.S. government can't protect itself, how can we hope to?"

Leaving aside for the moment that all these victims (including the government) have not done all they can to protect themselves, these questions are not easy to answer. First of all, the senior executives at my company are not particularly tech-savvy. After I get about three words into my explanation of our technology defenses, their eyes glaze over and they lose interest. And the answer is complicated. I have many layers of technologies and process in place to defend my company's network, along with sophisticated intrusion detection that should alert me if anybody does get past our defenses. It's hard to boil all those down into a 30-second elevator summary.

I'm also having difficulty answering the question "Are we doing enough?" I talk about the SANS Top 20 risks and controls, which are an excellent starting point. I have done extensive risk assessments, both internal and external, and have security controls in place for all the risks that have been identified. I've even made a list of "everything" that security practitioners can do. But again, the eyes glaze over the minute I start talking.

Plus, there's the truth of the matter: Nobody can really do enough to stop 100% of all technology threats. And nobody wants to hear that.

We are barraged with constant updates from Adobe to fix serious vulnerabilities in its Flash Player software that runs on practically every computer, everywhere. Microsoft releases security patches every month, which we have to deploy quickly without missing any systems. We are bombarded with phishing emails, and our employees can't seem to avoid malicious websites. How can we hope to stay on top of all that, before the hackers take advantage of something we missed, or haven't gotten to yet?

Which is why we are considering cyber-insurance. This was an idea first advanced by my company's board of directors. It didn't make sense to me at first, because I think we really are doing everything reasonable to prevent an attacker from breaking into our network, so why pay for coverage for something I don't think is going to happen? But then again, as I said, nothing can be 100% secure. So the more I think about it, the more insurance to cover the costs of a security breach seems to make sense (assuming that the coverage is legitimate, and broad enough to cover the real-world attack scenarios we may experience, and the insurance company won't try to weasel out of paying if we do get breached). The coverage can pay for the costs of investigating, reporting and remediating the breach.

However, not surprisingly, the policies I looked at varied widely on these factors. I looked at several policies that were pathetically weak, directly excluding most of the real-world threats we are concerned about, and placing unreasonable limits on others, while providing coverage for the less likely scenarios. But there were a couple that do cover things I think are possible -- such as hackers exploiting improperly configured servers, networks or firewalls to gain access to our network, or clueless employees that get their computers infected with malware through opening email attachments or visiting malicious websites, resulting in an intrusion or data theft. Those better policies cover the costs of forensic investigation, notifications and cleanup.

So now my opinion on the value of cyber-insurance has done a 180. What at first I thought was pointless may in fact turn out to be a reasonable value. I'll continue reviewing and discussing these policies with the management at my company, but I think we will decide to get the coverage.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at

Join in

Click here for more security articles.

Join the CSO newsletter!

Error: Please check your email address.

Tags data breachessecurity

More about ClickMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By J.F. Rice

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts