Decreasing costs of major vulnerability exploits

Started by deanwebb, March 16, 2022, 09:15:00 AM

Previous topic - Next topic

deanwebb

2017: NotPetya - damages over $3 billion

2020: SolarWindds - damages just over $90 million

2021: MS Exchange - nothing material reported, according to Gallagher Re.

The drivers here are cyberinsurance companies doing pen tests and requiring customers to patch things up quickly or face financial penalties. Cyberinsurance is set to be as big a market as property and casualty insurance in the next 10 years or so, making the sector no longer P&C, but PC&C.

There's still tons of security to do, but now it's getting done faster. Insurance underwriters are also looking at ways to package big-ticket cybersecurity tools for small-medium size customers and are also driving more personal security for the WFA (work from anywhere) crowd.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

Quote from: deanwebb on March 16, 2022, 09:15:00 AM
2017: NotPetya - damages over $3 billion

2020: SolarWindds - damages just over $90 million

2021: MS Exchange - nothing material reported, according to Gallagher Re.

The drivers here are cyberinsurance companies doing pen tests and requiring customers to patch things up quickly or face financial penalties. Cyberinsurance is set to be as big a market as property and casualty insurance in the next 10 years or so, making the sector no longer P&C, but PC&C.

There's still tons of security to do, but now it's getting done faster. Insurance underwriters are also looking at ways to package big-ticket cybersecurity tools for small-medium size customers and are also driving more personal security for the WFA (work from anywhere) crowd.


GL when the vendors patches don't come out in a respectable time (thinking that the companies need to hold the vendor responsible).  I guess that would open a new world of insurance.   Buying insurance to make sure that a patch is available on time, otherwise the vendor has to pay the financial penalties that the company owes the cyber insurance company.

or like the logg4j threat, where the patches were coming out every other day, and one has to patch 600-800 servers which takes a couple of days,  that make lots of system downtime not making the .99999 5 9's uptime, so the cyber insurance company need to pay the company for the excessive downtime and losses it occurs in order to meet the patching contract requirements.
 
:professorcat:

My Moral Fibers have been cut.

deanwebb

Those are issues that they're taking on and getting answers for. I personally hope to see the end of "five nines" in an SLA because it's reckless how it pushes production over security.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.