undefined | Better HN

0 pointssaurik7y ago0 comments

If the insurance company had to pay out $20B, the plans would either cost a _lot_ or they would have tons of actually legitimate requirements with inspections (like you see with fire insurance of super expensive buildings: you don't get to just buy cheap fire insurance without having tons of procedures in place for mitigating fire).

0 comments

1 comments · 1 top-level

txcwpalpha7y ago

The data breach insurance I'm aware of does have such requirements, but cybersec standards change so rapidly, and it costs so much to do any decent inspection, that in practice it just doesn't work as well. It's not like a building where fire codes are more or less the same from year to year, and where a fire inspection can be done in less than a week (if not a single afternoon).

Most organizations I've seen have a very complicated risk management formula to determine how much they're willing to spend on things like cybersecurity. I simplified it my original comment, but from what I've seen in the current state of things, insurance is typically on the side of the equation that justifies spending less on security, not more.

j / k navigate · click thread line to collapse