Insurance for information security is changing. Recently some reports came out that there were moves by insurance companies to leave the cybersecurity insurance market - that it was uninsurable. Dan, Brian, and Erik discuss on this week's Great Security Debate:
What happens now that cybersecurity insurance is built into contracts and requirements by customers doing business with other companies?
Are the carveouts such that it’s easier to just pay and not inform insurance that you want them to pay for the incident?
Does having “easy” insurance give too many orgs a pass on having to actually improve their security control sets?
How do insurance “formularies” make companies less secure by not letting them buy the newer, better technologies?
Conversely, how does the formulary of products help prevent from buying junk tech that calls itself “security”?
How does the threat of nonpayment of expenses and losses by insurance companies after the fact affect organisational security decisions for or against the formulary?
How is relying on insurance to determine tech standards the same as the EU demanding all chargers be USB-C?
Does insurance go away altogether? Do we want it to go away?
What is the law of the horse and how does it apply to insurance in information security?
Can shifting downstream supplier risk into insurance really work to reduce risk?
Is security a cost centre, a cost of doing business, or a potential profit centre for orgs?
Should we shift from insurance mandate to “figure it out”
How does the conscious decision not to patch because the patch causes worse issues affect the insurance coverage?
How can we balance the expectation with our technology suppliers to maintain support longer, especially on IOT or high-cost, long life devices?
Can a move toward clear, yet broad expectations on controls be enough to meet security expectations for insurance without prescriptive formularies of technology and process?
Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.