At the FIRST conference, Eireann Leverett and Marie Moe discussed a number of areas where incident response teams and insurers could usefully collaborate.
At present some cyber-insurance policies can seem expensive. One component of the cost is the contingency fund that insurers have to maintain in case their assessment of the likelihood and size of claims is wrong. In a new area such as insuring against digital incidents, a shortage of data means there may be considerable uncertainty involved in those assessments. That means large contingency funds, which contribute to high premiums. Many incident response teams have a lot of information about past incidents, which might help insurers reduce that uncertainty. For that to work, however, we need to be able to provide information about the cost of incidents, something that not all incident response teams collect. If you do have, or can obtain, that sort of data, Eireann and Marie would be happy to put you in touch with insurers who can use it.
That’s mostly about incident response teams helping insurers, but there may also be opportunities for insurers to help incident responders. Although there’s a tendency to think of insurance for rare, high-cost events, insurance companies also deal with relatively common problems – burst pipes, burglaries and similar. And – particularly when helping individuals, householders or small businesses – they often provide practical, as well as financial, help. When you make an insurance claim you’ll be put in touch with plumbers, carpenters, glaziers, or other local businesses that can resolve the immediate damage. It turns out that some insurance companies are already extending this to digital assistance: Eireann reported one instance of a small business insurance policy helping to remove ransomware from a customer’s computer. If that sort of help fits into insurers’ business models then it might be an alternative way to deal with things like virus infections as well.
Finally, it’s worth noting that just because your insurance policy doesn’t say “cyber” doesn’t mean it won’t cover accidents involving your computer. Policies for professional, business or household activities may not distinguish between those events taking place in the physical world or on line. Whether you’re buying a new policy or using an existing one, check the exclusions. If the worst does happen, your insurer may be worth a call.