Cyber Attacks Set To Become 'Uninsurable,' Says Zurich Chief 96
The chief executive of one of Europe's biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become "uninsurable" as the disruption from hacks continues to grow. From a report: Insurance executives have been increasingly vocal in recent years about systemic risks, such as pandemics and climate change, that test the sector's ability to provide coverage. For the second year in a row, natural catastrophe-related claims are expected to top $100 billion. But Mario Greco, chief executive at insurer Zurich, told the Financial Times that cyber was the risk to watch. "What will become uninsurable is going to be cyber," he said. "What if someone takes control of vital parts of our infrastructure, the consequences of that?"
Recent attacks that have disrupted hospitals, shut down pipelines and targeted government departments have all fed concern about this expanding risk among industry executives. Focusing on the privacy risk to individuals was missing the bigger picture, Greco added: "First off, there must be a perception that this is not just data ... this is about civilisation. These people can severely disrupt our lives." Spiralling cyber losses in recent years have prompted emergency measures by the sector's underwriters to limit their exposure. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses.
Recent attacks that have disrupted hospitals, shut down pipelines and targeted government departments have all fed concern about this expanding risk among industry executives. Focusing on the privacy risk to individuals was missing the bigger picture, Greco added: "First off, there must be a perception that this is not just data ... this is about civilisation. These people can severely disrupt our lives." Spiralling cyber losses in recent years have prompted emergency measures by the sector's underwriters to limit their exposure. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses.
You say that like is's a bad thing (Score:5, Insightful)
When the company (and the C level execs) have to explain the loses to shareholders, they MIGHT actually take steps to avoid the attacks aor defend against them properly
Re: (Score:2)
Why should I bother doing both sides of the work when I get that side for free anyway?
Re: You say that like is's a bad thing (Score:2)
Re: (Score:2)
It's more that if you keep the poor uneducated, your dimwit offspring still has a chance for the C-Level and directorate position, just buy him a prestigious degree that that poor egghead over there just can't afford.
Re: (Score:2)
Why should I bother doing both sides of the work when I get that side for free anyway?
Indeed. The idea that IT Security people are doing the attacks is beyond stupid. The person claiming that is either a moron or a troll, ior both.
First, the defenders do not have the skill-set. Attacker and defender are _very_ different. Requires some actual knowledge about the subject matter though. Not saying defenders cannot attack, but staying unidentified or undetected is a lot harder than simply attacking and so is being effective as an attacker. Second, anybody doing that as an IT security expert will
Re: (Score:2)
I get this hint that you're also in the field somehow? Devil or Smurf, I mean, Red or Blue Team?
I want to add that the work ethic is pretty high in the field in general. Yes, we play around (and the "report any appearing or disappearing ATMs" rule at Black Hat sure put a smile on my face) but I can't remember any relevant incidents where a White Hat actually abused his access for personal gains. The industry is also pretty small. Growing, yes, but still small enough that you at least know the important peop
Re: (Score:2)
I get this hint that you're also in the field somehow? Devil or Smurf, I mean, Red or Blue Team?
Mostly meta these days. IT Security auditor, academic IT Security educator. Before that IT Security consultant with a strong engineering focus. And before that an on-topic PhD.
I want to add that the work ethic is pretty high in the field in general.
It is. Greed is rare and people really want to do a good job defending whoever they work for. Also anybody going over to the dark side knows there is no leaving it. So you find mostly the mediocre and the bad wannabees on the attacker side. As IT security of current systems (MS, I am looking at you) is really atrociously bad, even the
Re: (Score:2)
And before that an on-topic PhD.
An on-topic PhD? Your name ain't Martin by any chance, it's the only person I know with a PhD in a security related field. And given your user-ID, you could be old enough too... :)
Greed is rare and people really want to do a good job defending whoever they work for
Greed is pointless. If you're greedy, just ask for more money. It is going to be paid. But like you said, most just want to do good work. We already get more money than we can spend. Ok, at least I do. Like the Joker in the only Batman movie worth watching said, my hobbies have one thing in common, they're cheap. I don't need more
Re: (Score:2)
you are mostly concerned with unwanted functionality, not wanted functionality
You have to understand what's going on.
Indeed. You need to understand the whole thing, not just the part that was build intentionally for the functionality that was intended. And then you need to understand how that could be used by an attacker, often in combination with other things.
Because you have to ponder and build on top of it. You have to look at the item, ponder "what happens if I...?" and then try it. For this, understanding is key. And that's at the same time the big problem.
We're interviewing about 1-2 people a month. Most of them having security related degrees. And they're doing fine as long as we're talking about standard stuff, from cipher and certificate related theoretical problems to web server testing. Great.
Well, anybody with some intelligence and dedication can do that. It is not enough by far. It is again, the "intentional functionality" mind-set, were you learn how things are supposed to be done, but that is it. Ways for attackers to get in are rarely added intentio
Re: (Score:2)
I don't want to knock people who hold a degree. There are the people who studied it because they are genuinely interested in the subject. I have a guy aged 25 who knows more than I did when I was 40 because he had the chance to actually study it AND he was into the whole stuff because he wants to do it.
What a degree can do is shave off a few years of experience and trial and error. That's all it can do. And in the average interview, you quickly notice whether that person has the degree because he thought th
Re: (Score:2)
What a degree can do is shave off a few years of experience and trial and error. That's all it can do.
Actually it can do more, but only if you have the talent for it and you understand that a degree does not replace real-world experience. And only for certain career paths. In many cases you are exactly right. The problem is that on BA/MA level you always learn mostly things that are outdated and you get only limited hands-on experience with them. When I teach in the IT security field, I typically try to add current examples, ideally from the last few weeks. That is surprisingly often possible. But many lect
Re: (Score:2)
That's one of the reasons why some of the people working here hold lectures in one of our security colleges and we have an internship cooperation with them going. We're pretty much hoovering up every promising student. With some of them, getting that degree was really just a formality.
The fast-moving target is real, very true, but a good curriculum doesn't try to teach the current fad or the latest hot shit that got discovered, what I need from them is the fundamentals. And those don't change. The encryptio
Re: (Score:2)
This requires some agent exist that can certify that best practices have been followed, which requires another agent to determine what are the best practices. Application/OS software-security is a moving target, so that is very difficult. Insurance firms failed to respond to the warnings of poorer countries driving cyber-crime, or of global warming: Thus, the rules are being changed so they don't have to pay.
This may mean the end of insurance, meaning only mega-corporations will survive any crime-wave o
the cost of downtime for updates / cost to have an (Score:2)
the cost of downtime for updates / cost to have an system that can do rolling updates with out downtime also has it's costs as well.
Re: (Score:2)
the cost of downtime for updates / cost to have an system that can do rolling updates with out downtime also has it's costs as well.
Yes it does. Your choice.
Re: (Score:2)
When the company (and the C level execs) have to explain the loses to shareholders, they MIGHT actually take steps to avoid the attacks aor defend against them properly
This. When it's cheaper to mitigate the effects than prevent the problem in the first place, the C level will always go for mitigation.
I honestly think we need to bring in hard punishments for the kind of negligence that results in ransomware or cyber attacks. When some C-levels are sitting in Federal PMITA prison, then the rest will think twice (unfortunately, it'll be about how to blame the problem on someone more junior, see: the dieselgate saga).
Re: You say that like is's a bad thing (Score:2)
How about we put the actual criminals in prison.
Re: (Score:2)
If only you were right. Being in the holidays and with a New year approaching, I think you are a bit optimistic :)
You really know what will happen, the C level execs will blame and fire the Cyber Security person who became a PITA by trying to tell them the need to spend real money to fix the problem.
Re: (Score:2)
Yes and they will hire the Cyber Security person that was fired from company B and start all over until they run out of money. Then they will hire some student that followed a computer course in university and the company will close on the next intrusion. The level C execs will then cry how they can't find decent employment because of age discrimination.
Re: (Score:2)
I couldn't disagree more. Insurance is used to manage risk not eliminate it. The core problem is that there are no IT "solutions" to cybercrime. The capabilities and implications are asymmetric; the perpetrators face a very low risks and have a much easier task than the defenders. Not only that, but so much business-critical software is now in the SaaS realm that many of the better defense strategies are now out the window.
My company just moved our accounting software to the cloud, and our phone systems to
Re: (Score:2)
No, they actually fired or drove off the expertise... "It wasn't important or core to the business"
No my first rodeo and I've watched this go on for 40 years.
THEY use insurance to pad their stupidity
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
log4shell, shellshock and heartbleed were all dues to halfway devs using code they didn't fully understand... Just grabbing something "off the shelf" and running it in a corporate environment, selling it as though it had been "hardened"... And it hadn't been. Yeah, if you want to run a small shop and behave that way, you may well be sued out of existence if you're not very careful about how you run things.
"Move fast! Break things" can't be an exemplar anymore... And never should have been.
It was the ultim
Re: You say that like is's a bad thing (Score:2)
Your Risk Analysis Is No Longer Accurate (Score:1)
and you can't make any more money.
Hopefully, the insurance industry will slowly stop insuring many things until they fold up and disappear.
Maybe get the almighty government involved and force them to insure cyber attacks.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
A better threat: Imagine such a country being cut off from international banking and trade.
The countries we're talking about are already curtailing their citizen's access to internet resources themselves, it's not like sanctions in this area would do them any harm.
Unsurprising (Score:1)
I've seen several companies buy cyber insurance now and every single one of them involves their bean counters to figure out what the absolute minimum is they have to change or fix to get coverage with an acceptable premium. i.e.: it's not about protecting customers and their data, it's about cost control.
Given the number of large scale breaches in recent years I'm not at all surprised that insurance companies, which operate at the same level of honor as bookmakers and organized crime (but still have to answ
Re: (Score:2)
i.e.: it's not about protecting customers and their data, it's about cost control.
That is inevitably what insurance is for.
not uninsurable (Score:1)
Re:not uninsurable (Score:5, Insightful)
A thing is uninsurable if the cost of the insurance exceeds its value. In principle, of course one could buy insurance that costs more than the value of the thing being insured, but so few people would do so that it is uninsurable. (If the insurance were 2x or 3x the value, the number of people buying would certainly be very close to 0 - if nobody buys at the cost of insuring, it means the insurance product is unviable and by any reasonable definition of uninsurable, it is.)
Re: (Score:2)
Bought a 1993 pickup last year for $1500. Insurance, which I'm legally required to have in order to drive it on public roads, is $32/mo extra on top of my existing auto insurance stuff.
I don't have a break down on it, but most of the extra cost is health related (I have very large limits on hospitalization stuff on my car insurance - vehicles are relatively cheap/easy to fix compared to a human)
If it were only theft/damage on the truck itself that I was covering I'd be a fool to pay it, I'll have spent mor
Re:not uninsurable (Score:5, Insightful)
A risk is uninsurable, or considered uninsurable, if the cost to insure exceeds the value protected. Also, in this particular case, the risk being uninsurable stems from the repeat damage. We're not talking about some expensive vase that is worthless when it was broken once. We're talking about something that can be broken again and again and again, every single time with associated damages.
Re: (Score:2)
A risk is uninsurable, or considered uninsurable, if the cost to insure exceeds the value protected. Also, in this particular case, the risk being uninsurable stems from the repeat damage. We're not talking about some expensive vase that is worthless when it was broken once. We're talking about something that can be broken again and again and again, every single time with associated damages.
The thing about insurance is that it distributes risks amongst all involved parties, so that everyone pays for the few that screw up (wait, Uncle Mikey, isn't that communism? Yes little Jimmy, yes it is but we don't call it that). When the cost of paying for the few who screw up becomes greater than the total everyone is willing to pay insurance companies have a problem.
Re: (Score:3)
The thing about insurance is that it distributes risks amongst all involved parties, so that everyone pays for the few that screw up (wait, Uncle Mikey, isn't that communism? Yes little Jimmy, yes it is but we don't call it that).
Correct; insurance is a capitalist implementation of socialist principles.
Re: (Score:2)
A risk is uninsurable, or considered uninsurable, if the cost to insure exceeds the value protected.
Yes, and this varies greatly. If you provide a good or service that is not critical - greeting cards, cat videos, word games, etc. then all the cost of an intrusion is basically your own cost of remediation. If you are, say, a water utility, a healthcare provider, or a commercial datacenter operator, then you may be exposed to massive liability from loss of your service to your clients as well as just yourself. If people die becasue the hospital was hacked, damages could be far greater than simply the co
What, no inspections? (Score:5, Interesting)
Re: (Score:1)
Re: (Score:2)
Re:What, no inspections? (Score:5, Insightful)
Insurance insures companies and their business, not "systems".
I have had cyber-insurance for the companies that I work for. There is an assessment on both the business and the security of the organization before you even get to an insurance broker (Marsh McLennan in our case). Are you processing credit cards? If yes, do you have PCI DSS certification? Do you work with EU citizen data? If yes, do you comply with GDPR? And so on. Do you have risk management? Security team, budget, policy, and roadmap? And so on.
Then - what do you want to cover? Do you "protect" yourself from cyberattacks? You own mistakes? Supply chain attacks? Service outges? Employee misdemeanor? Direct costs of handling an incident (eg buying professional services to clean up your network)? Damages to third parties? This is all intervowen with other insurance types (executives & officers insurance and whatnot). If your head of marketing runs off with your client database, is this "cyber"?
The area is rather complicated. 90% of this is legal, 10% security. I also claim that most people in the area do not understand what it is. The legal people have no idea about security, the security and risk management people do not understand legal, and the two sides rarely meet.
Re: (Score:1)
I wish I could mod you up insightful on this.
Re:What, no inspections? (Score:4, Interesting)
Our policy gives a two page set of questions, none of which really reflect today's risk of payout for the company. They do not ask if any users have easily guessed, written on a post-it, or re-used passwords. They do not ask if you use security tokens for login or remote access. They don't ask if you have a smart cloud infrastructure. The insurance companies don't have good ways to make the assessments.
One of our clients (a HMO) gave us an exponentially more complex risk assessment. The response conveyed back to their CEO is that compliance with this assessment would require us to double our fees; it was literally a seven-filigre task to do the things they were asking for. Much of it was good ideas, but trying to set up a SCIF store for their (non-patient, non-IT) data and create and document processes for all the once-every-three-plus-years tasks was not in line with the services we provide.
Proper security is just an impossible ask for a company with more than 3 people and less than 2,000. The talent pool does not exist. It might also be impossible when you get over 5,000 people. Too much becomes chance.
Re: (Score:2)
Indeed. There is an additional problem though: It is getting more than 10% security. Not because the legal aspects shrink, but because the risk of getting hit really bad on the IT security side is now pretty high and the IT security side must critically go beyond checklists and into actual understanding.
Re: (Score:2)
Tall buildings that have passed a building code inspection get insured.
Your example demonstrates the pointlessness of your mitigation claims. Tall buildings pass building codes. Period. The fact that there are legally binding codes that underpin its very existence automatically makes all tall buildings insurable.
Yeah that's one specific example, but I'm latching on to it since it underpins how insurance is made. You have a tall building. As far as the insurance company is concerned that's that. Now the insurance company will determine value of the insurance depending on the va
architectures have state licenses and the power to (Score:2)
architectures have state licenses and the power to tell the boss to fuck off on doing something unsafe.
Re: (Score:2)
Exactly. And in the IT field, the typical coder or even engineer often does not even understand what would be unsafe. And there are lots of exceptionally unsafe mainstream practices, like the insane mess with massive numbers of more-or-less arbitrary external dependencies in web-applications. People are _taught_ to do it that way and anybody with some real engineering expertise can see this will never be safe or secure and cannot be fixed.
Re: architectures have state licenses and the powe (Score:2)
Do software engineers even exist? The title gets tossed around as interchangable with "software developer", and is meaningless from a PE perspective. NCEES discontinued their Software Engineering exam in 2019. Almostnobody took the exam [ncees.org]
.
And as you've already observed, web applications are a sloppy mess of random garbage thrown together with duct tape, thoughts, and prayers.
And then there is "Agile"...
Re: (Score:2)
Re: (Score:2)
Indeed. When insuring IT security, insurances are basically asked to insure arbitrarily build houses or cards. That only works when there is quite low risk of an actual attack. And that time is over.
In the end, we will have to lift the IT and IT security field to proper engineering standards. Like all other engineering disciplines have achieved, but the IT workers refuse to do.
Re: (Score:2)
Re: (Score:2)
It is both. Just look at the uproar that starts here when it is suggested coders should bear some responsibility and liability for the stuff they produce. Some will say "Yes, if I get the time and money for it" and these are the good ones, i.e. the ones that could or do work on real engineering level, not bloody amateur hack level. But the majority will just scream bloody murder and an unqualified "do not want".
At the same time, no actual engineer would find it strange to be held liable for shoddy practices
Re: (Score:2)
Hard to assess risk when it changes dynamically as bugs are patched and discovered, staffing changes, and threats evolve.
Re: (Score:2)
They do not have enough experts for that. In theory, they could make the customer pay for inspection beforehand before they decide to accept the risk or not. But the market does not (yet) allow that, so they have to have in-house experts to keep cost down. Also and they simply cannot get enough qualified ones (internal or external ones) that not only really (!) understand IT security, but also really understand how risk management and compliance works.
Re: (Score:2)
Looks like someone wants a free pentest of their services.
So does that mean we're going to revert? (Score:1)
Does that mean that companies that deal with lots of information going to need to hire people to put that information in and out of air-gapped storage systems? At what point does it become cheaper to just have people doing paperwork and answering the phone instead of securing an online system?
Re:So does that mean we're going to revert? (Score:5, Insightful)
That or revert to older network architectures. Construct the internal company network so it isn't connected to the Internet directly. Use bastion hosts in a DMZ for external connectivity, and then use VPNs to connect the DMZ to organizations you need to transfer data with. Do not permit any non-company devices to connect to the internal network. If access to the Internet is important for employees, have a separate public network for that and allow personal devices there but do not allow any interconnection with the internal network. If internal systems are cloud-hosted, use vnets and VPNs to isolate them from the Internet and connect them to the internal network. It takes some work, but it was a solved problem 20-30 years ago. It completely boggles me that we ever bought into the idea that we should allow devices and networks that were directly connected to the Internet to also directly connect to internal corporate systems.
Re:So does that mean we're going to revert? (Score:4, Interesting)
That's not a complete solution, but it's a major step in the proper direction. The problem is that having rules doesn't keep someone from breaking them. And wireless devices may create a problem. And even keyboards are usually wireless these days.
OTOH, it should USUALLY work.
Re: (Score:2)
Corporate network usually means managed switches. Company devices have signed certificates to authenticate via 802.1X. Personal devices don't. Set up the networking infrastructure so that any device that can't authenticate causes the port it's on to be disabled until it's unplugged. It's a rote setup. 802.1X works over wireless, so that solves that problem too (although I'd suggest not using wireless at all for the corporate network except for connecting peripherals to PCs).
Re: (Score:2)
Does that mean that companies that deal with lots of information going to need to hire people to put that information in and out of air-gapped storage systems?
For some industries this should be mandatory. For example, the pipeline incident a year or 2 ago. There is no reason for pipeline control to be on the internet. Same for electric generation.
FTFY (Score:2)
Cyber Attack Insurance Set To Become 'Unprofitable,' Says Zurich Chief
Re: (Score:2)
Re: (Score:2)
Cyber Attack Insurance Set To Become 'Unprofitable,' Says Zurich Chief
Yes, so? Insurances are for-profit. They do not do unprofitable products. If they do, they eventually go bankrupt.
The current incentives are wrong. (Score:4, Insightful)
The sole value or contemporary corporate culture is greed. In order to do business, corporations have to pretend to take "security" serious, for example by getting a SOC2 certificate. Having this document, the C level people can focus on greed (fucking employees, customers and "partners") and when they are hacked, they pick the standard "talking points" from the latest McKinsey& CO "Greed Is Good 101 Handbook" and lie about how much they value their customers privacy.
I believe the only way to fix the problem is to change the incentives, both for the corporations and for the crooks. The insurance companies are just greedy corporations who aim to maximize their own profits. Changing the coverage will not fix the problem.
The problem is greed. The corporations skip corners to maximize profits (and insane bonuses for the CEO's court), and the crooks (more and more of them) do hacking because it's profitable. In order to fix the problem, I think it must be illegal to for example pay ransoms to crooks. If that's illegal in a meaningful way, then the incentive for the crooks will vanish. If C level people are routinely criminally prosecuted after a breach, and the investigation look at the actual security measures and security competence in the organization, clown-show performances like SCO2 will loose their value. Corporations will need to hire competent security people and implement real security measures and/or limit their exposure by not harvesting non-essential sensitive data. As long as it's legal to pay extortion fees to crooks, and perceived security is cheaper than actual security, the problem will not get better.
Re: (Score:2)
Realistic expectations (Score:5, Insightful)
If I can end up getting a prison term because some nerd in systems admin gets seduced by a cutie, then I'm not going to accept the job and no rational, competent person will accept the job. This is the same issue with those who want to charge those in charge of safety at an organisation when something goes wrong.
The real answer is to accept that some things can and should be managed, and some things are unavoidable. This is the origin of the concepts of 'reasonable error', 'negligence' and 'gross negligence'. The problem lies in the fact that when something goes wrong due to 'reasonable error', the pressure to find a scapegoat can be overwhelming, and establishing it was 'reasonable error' may be hard to establish; instead the professional gets railroaded by public opinion because the law allows for the possibility...
Re: (Score:2)
If I can end up getting a prison term because some nerd in systems admin gets seduced by a cutie
1. Many nerds are a lot less gullible than public opinion has it.
2. If you did not make sure critical stuf has a 4-eye principle in place, then you deserve that prison term.
4-eye principle (Score:2)
That's a good answer, and probably an example of something whose absence should attract prison terms. I just suspect that it's nothing like sufficient and the massive range of threats means it's unreasonable to expect perfection, especially in smaller firms. We can probably enforce that sort of standard in the private sector, but in cash strapped public sector organisations it's going to be harder. Getting politicians to agree to properly paid IT staff rather than employ more teachers / police officers etc
Re: (Score:2)
I agree on that.
Re: (Score:2)
If I can end up getting a prison term because some nerd in systems admin gets seduced by a cutie, then I'm not going to accept the job and no rational, competent person will accept the job. .
If you are the CEO of a corporation that handles sensitive data, and that data is stolen from you, then a criminal probe to you and the corporation should be expected and warranted. If you have taken good measures to prevent the theft, then you should be fine, and the corporation should be fine. If you hired a good-talking but clueless friend as CSO, - then there may be a question about criminal neglect. If you de-funded the entire security team in order to boost the quarterly profits, and hence your own bo
Re: (Score:2)
Hmmm... The problem is, and will be for the forseeable future: 'What is enough spending on security?' There's always a trade off, and we are in danger of giving the IT security section a blank cheque.
I like your approach in general though.
Re: (Score:2)
If crooks can't monetize the stolen data, there will be no highest bidder, or the bids will be so low that the theft is not worth the effort and risk.
The problem today is that there is an enormous economic incentive to hack organizations, because they are easy to hack, spineless, and likely to pay the ransomware fee rather than restore a backup - because that makes the most "economic sense" in the short term. (Heck, lots of corporations using the "cloud" probably don't even have backups)! This has lead to
Simple remedy (Score:4, Interesting)
Just for reference purposes, the top ten originators of the world's cyber attacks are **roll on snare drum**:
1. China - 41 %
2. USA - 10 %
3. Turkey - 4.7 %
4. Russia - 4.3 %
5. Taiwan = 3.7 %
6. Brazil = 3.3 %
7. Romania = 2.8 %
8. India 2.3 = %
9. Italy 1.6 = %
10. Hungary = 1.4 %
Re:Simple remedy (Score:4, Interesting)
It's even easier than that: Do what a lot of EU countries did and make C-Levels personally liable for gross negligence when it comes to security. If your company screws up and you can't show that you did what's necessary to secure the crap, your old Ferrari will have to do for another year because this year the money you earmarked for a new one goes to paying that fine.
Since we had that, security budgets went up by magnitudes. Because C-Levels prefer to cough up company dough than their private stash.
Re: (Score:2)
It's even easier than that: Do what a lot of EU countries did and make C-Levels personally liable for gross negligence when it comes to security. If your company screws up and you can't show that you did what's necessary to secure the crap, your old Ferrari will have to do for another year because this year the money you earmarked for a new one goes to paying that fine.
Since we had that, security budgets went up by magnitudes. Because C-Levels prefer to cough up company dough than their private stash.
That too but visiting consequences on people for negligence and apathy only works in your jurisdiction. Tariffs, preferably targeted tariffs, would be an easy way to crate large lobbies in cyber crime nests like China who'd be willing to exert pressure on government to clamp down on this kind of behaviour with all the weight the state's HUMINT/ELINT assets and law enforcement apparatus because these cyber criminals would now be getting in the way of them doing legitimate business.
Re: (Score:2)
Re: (Score:2)
Not saying you're wrong but you probably want to weight that % by population.
I have no problems with considering that option.
Good (Score:2)
the risks are unquantifiable (Score:2)
and, even worse, orgs that are known to have insurance tend to attract attackers.
For these two reasons, there is no place for insurance in cybersecurity.
BTW, paying ransom should be outlawed - it would help, IMO
Elephant in the room (Score:2)
The same companies that can demand their applicants possess a college degree also refuse to demand their employees use a secure operating system.
While a certain company has gotten better in recent years with respect to reliability and security, they still operate with a consumer-devices mindset, because their flagship product is used to sell PC's, not to provide security in computing. Their EULA specifically disclaims liability for security bugs. Why Corporate America believes they should be using a pr
Don't insure the high risk until they improve (Score:1)