As you probably know, cyber insurance is one of the trending topics in infosec at the moment. So let’s have a little internal debate to help understand it.
I recently saw that a number of councils in Florida, US have taken up cyber insurance. Why? Because as a governmental department, they have little budget for IT and cyber security. Why? Because if they had a surplus of cash, they would probably spend it on resurfacing roads, planting trees, removing chewing gum from the underside of park benches, etc. etc. Well, at least that’s what I’d spend it on if I had a say…
So. What better way to spend IT and cyber budget than on getting insurance in case shit hits the fan. I can actually somewhat understand this approach, as long as they still focus some resources on prevention, detection and response of cyber incidents.
On the other hand, cyber actors are no longer hooded kids in their mother’s basements, spending their pocket money on a new stick of RAM so they can crack more passwords per second. You know, the blurred figures you still see in photos within 90% of cyber related articles on the internet today (BBC tech, The Register – sort your shit out).
I’m not suggesting this was ever the case, actually.
Anyhow, cyber actors are unsurprisingly intelligent. Referring back to the above story, a bunch of actors clocked onto the fact that a handful of Florida councils had cyber insurance. So, what happened? Well, of course they targeted them with ransomware. What happened then? The councils paid that shit up. Even more interestingly, the actors sent their ransom notes directly to the cyber insurance company, skipping the middle-man entirely. Clever, huh?
Lake City, Florida, who has only 12,000 citizens recently paid 42 bitcoins ($400,085.00). The IT director was fired shortly after. So… 42 Bitcoins here and 65 the week before from the Florida city of Riviera Beach. That’s 107 Bitcoin currently valued at: $1,360,000. More recently, Florida municipality of Key Biscayne was hit (only 3,000 residents). This is no coincidence.
Stepping back. What this means is that cyber actors are targeting those organisations they know or have reason to believe are investing in cyber insurance, which will lead to more targeted attacks and more pay outs. The actors will become more resourceful, buy more sticks of ram, expensive hoodies and bigger basements and if they have some cash left over, step up their TTP’s.
Then what? Easy, cyber insurance companies will start to increase premiums, refine their requirements and hopefully, set an appropriate minimum baseline of security posture. We’re probably going to witness cyber insurance companies becoming like the life insurance market. Imagine, you’re 35, exercise regularly, don’t smoke, don’t have a stressful lifestyle (i.e. you’re not a nurse or CISO) – you’re going to be quoted less than the CISO who is overweight, chain-smokes, stressed and changes their job every six months because they go into a company, buy lots of cyber toys, hire lots of people, complain about the skills gap, lack of budget and that management doesn’t listen, then quit to do it all again at a new company (OK, I got a little carried away there).
Back to the point, cyber insurance companies will probably start asking for a minimum baseline of security posture. Hell, maybe they will even ask for an independent pen test or red ted team report and charge your premium based on the results. What if they required not only an initial minimum baseline, but continuous evidence of security improvement activities like audits, security awareness tests and maturity assessments? What if the future of cyber insurance actually made the industry better at security?
Perhaps I’m somewhat optimistic today. On the other hand, what if companies buy cyber insurance instead of doing the right things, at the right time, in the right order. What if they think “ah it will be fine as we have insurance now”. What if they give less shits about improving their posture and stop focusing on improving their prevention, detection and response controls? I believe this attitude exists in some organisations, which will end badly.
So, should you take out cyber insurance? Well of course that depends on some things:
- Your threat profile – are you seeing attacks? By which actors? Using what TTP’s? What breaches or incidents have already happened?
- Your current security posture – If you’ve experienced breaches or incidents, what did you learn about your ability to protect, detect, respond & recover? What is the maturity of the controls aligned to those threats?
- Your improvement activities – what is the strategy and plan for improving controls?
- Your risk assessment results – will your plan mitigate the actors and their TTP’s? What residual risk does that leave? What is the likelihood that you will suffer a loss?
"But we've always secured it this way" 
Leave a comment