The idea of insurance is not to ensure that something happens, but to ensure that if something does happen, then the insured company will receive compensation to help remediate the situation. This pertains to physical health insurance or security health insurance.
Probably the most ignored part of insurance is to have insurance to prevent using it. It is vital that security-related incidents are reduced or eliminated, but that will not happen without a great dose of prevention.
Prevention can be assured through a three-pronged approach.
First, education of the computer user is essential to help them compose better passwords, watch social engineering attacks, and be cautious about the daily use of any computer.
Second, buy-in from senior management on computer security and their incorporation of good security practices in their communications to their corporate surroundings.
Third, punitive action for non-compliance must be taken, but only as a last resort. Rehabilitation for individuals who do not follow security procedures must be the first priority, especially if the violation is an anomaly.
Regular disregard for the security rules needs to be met with strictness, but not at the price of morale. Sometimes, the best medicine for individuals that regularly disregard security practices is to place them in charge of the security environment.
It may be that they do not understand the consequences of their actions (or lack of action) and need to be accountable not just for themselves, but also others in their immediate area.
More on cyber insurance from the Computer Weekly Security think tank
The purpose of cyber liability insurance
The liability insurance for information security companies has a two-fold purpose.
The first is to protect the company management from harm should a security configuration prove ineffective for a certain attack or intrusion.
The second is to establish a "security blanket" for the employee of that company to alleviate the daily stress of having to get it right every time, all the time.
Insurance should not replace good, solid common sense and training. If the employees of the client company of the information security supplier have good security training, that should help the supplier rest assured that this client is unlikely to do it legal harm in the future.
In fact, liability insurance companies should consider those factors, like training, when establishing premium practices to assist suppliers picking the "right" clients to serve. Remember, if you insure a person who does unhealthy things, you raise your risk as an insurer, and your underwriters will not like you very much.
In conclusion, insurance for information security companies forms the basis for non-adversarial relationships between the supplier and the client, providing the client with assurance that the supplier is practised and competent (why else would an insurer insure them), and the client is protected should something go wrong.
The supplier should use the insurance as a form of trust for their company; the client should use the fact the supplier has insurance as protection from harm.
Chris Greco is a member of (ISC)2 and IT project manager in the US federal government.
This was first published in October 2013