Strange, that we see ‘cyber’ (#ditchcyber) Insurance behaving as if it’s not Insurance but banking:
A banker is someone who lends you an umbrella, but wants it back when it starts to rain
Which already has a lot to add; ‘lends against a princely interest sum’, ‘the umbrella will be small, not enough to protect your family that’s the Deluxe edition for a premium’, not ‘starts to rain’ but ‘is predicted to be only slightly possible to have rain in some undisclosed upcoming time period’, ‘wants it back’ means ‘has it reposessed, violently’. Etc.
But that’s not the issue. The issue is that the underwriter of the insurance will not want to pay out. Duh.
Because it’s not if but when you’ll get wet. Despite all reasonable, or more, efforts on your side to protect yourselves from it by not being in the streets when the first drops fall. But then, you can’t stay inside all the time; you’re in business which means going out to play. No matter what sou’wester you don, you’re done.
In other words, no matter how perfect your compliance with, e.g., ISO2700x, you are not safe. Which means you’ve overlooked something, didn’t do e-ve-ry-thing perfectly 100,0% – certainly not when ‘compliance’ means ‘60% or above, of the reasonable efforts’. If the latter is 80% of max, you still end up with having done only less than 50% of what was possible. In the more than 50%, there certainly is something that with hindsight and progressive insight now you’ve been hit you may have done differently.
And the insurers only act on hindsight, qua culpability and cover…