2017: NotPetya - damages over $3 billion
2020: SolarWindds - damages just over $90 million
2021: MS Exchange - nothing material reported, according to Gallagher Re.
The drivers here are cyberinsurance companies doing pen tests and requiring customers to patch things up quickly or face financial penalties. Cyberinsurance is set to be as big a market as property and casualty insurance in the next 10 years or so, making the sector no longer P&C, but PC&C.
There's still tons of security to do, but now it's getting done faster. Insurance underwriters are also looking at ways to package big-ticket cybersecurity tools for small-medium size customers and are also driving more personal security for the WFA (work from anywhere) crowd.
Quote from: deanwebb on March 16, 2022, 09:15:00 AM
2017: NotPetya - damages over $3 billion
2020: SolarWindds - damages just over $90 million
2021: MS Exchange - nothing material reported, according to Gallagher Re.
The drivers here are cyberinsurance companies doing pen tests and requiring customers to patch things up quickly or face financial penalties. Cyberinsurance is set to be as big a market as property and casualty insurance in the next 10 years or so, making the sector no longer P&C, but PC&C.
There's still tons of security to do, but now it's getting done faster. Insurance underwriters are also looking at ways to package big-ticket cybersecurity tools for small-medium size customers and are also driving more personal security for the WFA (work from anywhere) crowd.
GL when the vendors patches don't come out in a respectable time (thinking that the companies need to hold the vendor responsible). I guess that would open a new world of insurance. Buying insurance to make sure that a patch is available on time, otherwise the vendor has to pay the financial penalties that the company owes the cyber insurance company.
or like the logg4j threat, where the patches were coming out every other day, and one has to patch 600-800 servers which takes a couple of days, that make lots of system downtime not making the .99999 5 9's uptime, so the cyber insurance company need to pay the company for the excessive downtime and losses it occurs in order to meet the patching contract requirements.
Those are issues that they're taking on and getting answers for. I personally hope to see the end of "five nines" in an SLA because it's reckless how it pushes production over security.