Interesting looking at the latest Crime Insurance Renewal forms I’ve been sent. A hot topic from a discussion perspective a few years ago in regards to being a potential driver of better IT security practices in business, but it fell off the radar somewhat in recent years. I have to ask, has it finally seriously arrived (at least here in Australia)? Has this quietly snuck up on us and is now about to be the next “PCI DSS”?
Obviously if you had good IT security practice before, PCI DSS compliance wasn’t a pain, and if you’re PCI DSS compliant now, then Crime Insurance requirements won’t be a pain….but if you haven’t got the first and second ones under control, well here’s another concern to add to the list. And, for those of you that were not required to be PCI DSS compliant, you’re now probably going to feel the pain you thought you were lucky to miss out on.
Now this one could be the biggest of the lot. Read on…..
While by no means PCI DSS comprehensive with just a few control checks (at present), they’re [the controls] not simple “fixes” if you don’t have good security controls in place. eg; Covering Access Controls – assignment and levels appropriate to roles, ID and Password management, Firewalls, IDS/IPS, Patch management, Network and Web Application Penetration Testing, Electronic Transaction Authentication etc etc.
So what’s the upshot of this? Mandatory? Not as yet from what I can gather but certainly something that will raise insurance costs in the short term. Making a claim? Better ensure you were accurate in your application submission…..it’s no SAQ, and insurance companies tend to treat “creative” responses in applications pretty badly. Longer term – likelihood of no insurance if you can’t demonstrate compliance with good IT security practice. Boom!
I think we’re going to start hearing a lot more about this in Australia.
There will be responses noting the small bits and pieces in insurance covers to date but obviously these are not at levels seemingly coming through now (??) – evidence being the state of information security practices within most Australian organisations – (showing little to no improvement in recent years unless where regulated by the likes of PCI and even then in many cases questionable).
Hee hee, the first pass I read this “Covering Ass Controls”
That’s what the insurance companies do and do well and that’s their business. Where did Risk Management start? Same dudes.
They really could if they wanted to, stand this thing on it’s head today…..if they REALLY wanted to…and you wonder….it is just a matter of time. All else follows “normal” business directions….why won’t this? Of course it will. But, and here’s the big thing….actual detection of the fraud AND the extent of it…most organisations have no idea. And here’s the double-edged sword….if/when they do and start to “claim”, that’s when the old bulls come into play….”okay boys….premiums are now UP!!”
Incentives for change? Ooooh yeah….read about it soon.
Its all a game until the money talks and this shows how it will start. Watch the media jump on this once they read this. They have missed the boat again and security dudes blogging hit the scoop again.
@Irr3l3v@nt summed it up:
“Money talks”
I am a small business and I received my proposal for PI insurance renewal this week. It was A LOT more specific this year than last. If I hadn’t already put in place a lot this year for PCI I would have found it a bit of work.
The amazing thing and what has been mentioned in this blog many times is that those in charge of IT in so many organizations are never questioned for their incompetence.
Again many will be up in arms once something like this hits their company; work they should have been doing a long time.
PCI, insurance, what’s next? It will happen.