Cyber Security Insurance?

MI50 · 2022-10-19T21:54:24.000Z

Hey Spice Heads I want your thoughts :

Do we really need to tell client’s to buy this?

If IT has good sound cybersecurity procedures in place is insurance needed?

texkonc · 2022-10-19T22:18:50.000Z

Yes! 100%.

Even if you think you have good cybersecurity practices, Threat Actors will still find a way in.

That’s like saying that you keep up with Maintenance on your car, but there is no need for insurance since your car is in good shape.

Robert5205 · 2022-10-19T23:28:11.000Z

No! 0%. (Couldn’t resist.)

Well, of course, it depends. Insurance is part of a total risk management strategy. You calculate your total loss based on different scenarios. Then you decide how much of that loss you are willing to self-fund. Then you look what it will cost to have a policy to cover the unfunded loss. And then you decide if it makes financial sense to do so.

It’s like saying you have a 15-year old car that’s in great shape. But you don’t get collision coverage at $1200/year because the buy-out value you’d receive if it was totaled is only $100.

enyr0py · 2022-10-20T10:40:00.000Z

If I own the business, I’m going to self-insure with offline backups.

You can buy insurance for anything, even death by coconut: The Price of Insurance Against Lethal Coconuts: What You Need To Know | Pricing Strategy Consultant

Insurance of not, 31% of US companies close down after falling victim to ransomware: 31% of US companies close down after falling victim to ransomware - Atlas VPN

If you don’t have good backups that are regularly tested, the insurance won’t do you a bit of good.

davecork · 2022-10-20T10:53:30.000Z

I say yes. Insurance can help you if your business is disrupted due to a cyber incident. For example, it could provide funding to help you get back up and running again, to cover payroll while you’re down, and so forth. A good policy will also provide a sanity check by telling you things they won’t cover. “If you didn’t do X, we don’t pay.”

The last part is turning into a bit of a slippery slope, because so many things are starting to be excluded, but that’s another discussion entirely.

jeffjones11 · 2022-10-20T10:59:14.000Z

There are a lot of aspects to consider - there is the obvious part that most people think of - the down time and loss of revenue associated with the initial outage. But there is potential for lost future business, damage to reputation, potential physical harm to patients in a medical setting, legal ramifications for exposure of sensitive information, and civil liabilities arising from information compromise. Like Robert5205 said, it comes down to the risk tolerance of the business in question.

gregdrauch · 2022-10-20T11:07:54.000Z

For the same reasons you purchase health and life insurance, you purchase cyber insurance, to manage risk. Having good practices and processes doesn’t won’t stop a determined bad guy from getting in. A good rule of thumb is could you defend the decision in court or on the front pages of the NY Times?

kelly-for-crowdstrike · 2022-10-20T11:28:23.000Z

Hey OP - As you gather more insight from how other Spiceworks users utilize (or don’t utilize) cyber insurance, figured it’d be helpful to pass along a quick resource from our team to help you along with your decision-making journey: Cyber Insurance Explained - CrowdStrike

I’d say “the key to improving insurability lies in the organization’s ability to demonstrate comprehensive security coverage”.

jeffnoel · 2022-10-20T11:40:08.000Z

One thing Cyberinsurace does is force you to implement stronger security measures than you already have in place–often at levels you’ll find unbelievably cumbersome and expensive–before covering you.

Before starting this process, you should perform (or contract) a security audit to determine just to see where you are-- and have a long discussion internally to weigh the costs of high compliance against the cost of a breach or other disaster, and then determine whether you need insurance.

Also, compare your current setup against the CIS Benchmarks , and look into the Nessus Vulnerability Scanner for additional insight. My opinion is that if you’re secure enough for insurance to cover you (at a price you can afford), you might not need insurance.

That said, this is your decision.

tagyourit · 2022-10-20T11:56:03.000Z

Yes! insurance could pay you back for time lost due to ransomware or virus disasters and downtime. One virus could cause your company to lose thousands or millions of dollars of lost productivity and downtime.

bagaudin-acronis · 2022-10-20T12:08:39.000Z

We’re MSP Cyber Insurance: the rules are changing having the webinar today at 1.00 PM EST about the same topic, centered around MSPs.

jeffjanor6063 · 2022-10-20T12:17:25.000Z

I would say like other it depends on your risk management.

There are reasons to have cyber insurance to be protected in case of ransomware and things such as that. Insurance can help you cover in case of downtime to the company as well.

There are other things that cyber insurance could cover, if you have personal information stored and there is a data breach insurance could cover you from any potential law suites and or allow you to supply those people who data was exposed identity theft protection.

Depending on your line of work you might be required to have it. One place I was at if we wanted to work with client X we had to follow their rules as to the level of cyber insurance we needed to carry. So depending on the client you are working with that could also drive cyber insurance.

But there is the flip side to this. While cyber insurance is good, some of them have some crazy requirements to follow, and depending on your side and current “security” policies the cost to be compliant plus the re-training of users on the new security procedures might outweigh the need/cost of the cyber insurance.

Here for our cyber insurance, we had to apply MFA to all our servers and network devices. One company we were looking at wanted MFA on the desktop level for users to login.

chivo243 · 2022-10-20T12:27:19.000Z

Yeah, mixed feelings on this one. I think you have to weigh the cost of an insurance you may never need(gambling anyone) against the cost of downtime etc. Maybe better to invest that money in training for your IT group to start, and then training for all my friends at the bar! Or hedge your bets, do some training, and also take some insurance.

jcox11 · 2022-10-20T12:52:24.000Z

I mean there is going to be a bit of “it depends” to properly answer that question. Even assuming IT is doing every possible best practice with every conceivable tool, methodology, etc to block/prevent a security event, it’s not going to be 100% fool proof. No matter what, there can be no 100% assurances that you will NEVER have a security incident. CSI is there to help recoup the business lost expenses for downtime, loss of equipment, etc from an event. IT Best Practices won’t do that. As a business, you need to decide that despite your best efforts by IT, WHEN (not if) an event happens, how severe is it likely to be and how much of the business is at a financial risk. That is what CSI is there to mitigate.

machomanrandall · 2022-10-20T13:02:30.000Z

I think its a must have. No matter how secure you think your network is, there’s always gonna be at least 1 weak link that can be exploited by an experienced hacker (probably even a weaker script kiddy through decent social engineering). Patches will exploited, equipment can go days or weeks without proper updates, and people can be fooled to give information away. Pretty much like any other insurance, you hope you never need to use it but you will be glad that you have it should an issue ever occur.

steveclancy · 2022-10-20T13:06:33.000Z

IMO yes you do need it. You will be losing money every hour of your downtime and insurance will help offset any lost $$$$$$$ regardless of your I.T infrastructure.

jameswalker20 · 2022-10-20T13:27:19.000Z

@ethanhunt3007 No one has mentioned business verticals. Here are the top three that require for themselves and their customers:

Healthcare
Financial Services
Government

chris.hone · 2022-10-20T13:30:19.000Z

I used to work in a manufactouring business in the south east of the UK. They had a sister business just on the border with Wales. Both businesses were covered by cyber insurance, but when the business in the south east of the UK got hit, they decided to pay the ransom rather than claim on the insurance. Their reasoning, if we claim on the insurance, the premium will go up and the sister company will know we have been hit.

danuin · 2022-10-20T13:32:10.000Z

If you deal with financials, insurance, HIPAA… Yes. It is needed.

Does it make sense for everyone? No.

donovanmoretz6276 · 2022-10-20T13:39:23.000Z

No amount of security can prevent an idiot from getting phished…so yes, you need insurance.