Is CyberLiability Insurance Becoming A More Feasible Risk Management Strategy?

The cyberinsurance market today represents only a tiny segment of the overall insurance industry, and a recent Forrester paper on the topic identified that only a very small percentage of organizations that have purchased business insurance have also purchased cyberinsurance. Many insurance companies, however, are now estimating a period of significant growth in this area, and recent conversations suggest that more companies are either interested in this coverage or have recently purchased such policies.

I'm interested to know where your organization sits on this topic. If you have a minute, please respond to our short poll on the topic

You can find the poll in the right column of this page, below the “About the Analyst” or “About this Blog” section.

------------------------------------------------------------------------------------------------------

7/22 UPDATE - An interesting story which seems to suggest that Sony may be trying to leverage cover from existing 'traditional' insurance policies to cover for recent cyber-losses, much to the annoyance of the insurer... http://www.theregister.co.uk/2011/07/22/sony_breach_insurance/

In the unlikely event that Sony do manage to get the insurer to pay, that would be an interesting development for the future of cyberliability insurance...

InfoSec In The Supply Chain

The importance of data security throughout the supply chain is something we have all considered, but Greg Schaffer, acting deputy undersecretary of the Homeland Security Department of the National Protection and Programs directorate at the Department of Homeland Security, recently acknowledged finding instances where vulnerabilities and backdoors have been deliberately placed into hardware and software. This is not a risk that hasn’t been previously pondered as, in 1995, we watched Sandra Bullock star in ‘The Net," and address this very issue. However the startling realism of Mr. Schaffer’s admission means that it can no longer be categorized as a "hollywood hacking" or a future risk.

The potential impact of such backdoors here is terrifying and it is easy to imagine crucial response systems being remotely disabled at critical points in the name of financial or political advantage.

If we are dedicated to the security of our data, we must consider how to transform our due diligence process for any new product or service. How much trust can we put in any technology solution where many of the components originate from lowest cost providers situated in territories recognized to have an interest in overseas corporate secrets? We stand a chance of finding a keylogger when it’s inserted as malware, but if it’s built into the chipset on your laptop, that’s an entirely different challenge… Do we, as a security community, react to this and change our behavior now? Or do we wait until the risk becomes more apparent and widely documented? Even then, how do we counter this threat without blowing our whole annual budget on penetration testing for every tiny component and sub-routine? Where is the pragmatic line here?

Read more