One of the primary insuring agreements within a cyber insurance policy, is coverage for lost income. That coverage can vary. While this may not be an obvious takeaway from the recent string of events, it’s important to note the following: Many purchasers of cyber policies may assume that lost income from such an event would be covered, however in most cases that assumption would be false.
Policies generally require 1) that such an attack affect a direct business service provider for which a contract agreement exists, and 2) that a “time deductible” be elapsed. In most cases that deductible is 24-72 hours. So organizations purchasing coverage with the hopes of affording themselves some level of protection against attacks such as the DYN attack will likely be out of luck.
Unless you are a company such as DYN looking for coverage for yourself, or your contracted business provider is affected for a prolonged period, insurance coverage is likely not a sufficient tool for risk mitigation. Cyber policies are still a wise investment, but purchasers should understand their limits. In order to protect themselves, organizations should take other precautious, such as implementing continuity plans for attacks which cripple a particular supplier/partner. Just as manufacturers have backup suppliers, companies that are heavily reliant on their tech providers should also have backup plans in place.
Sign up for Computerworld eNewsletters.