Michael Sean Quinn, Ph.D., J.D., c.p.c.u. . . .
The Law Firm of Michael Sean Quinn et
Quinn and Quinn
                                 1300 West Lynn Street, Suite 208
                                             Austin, Texas 78703
                                                 (512) 296-2594
                                            (512) 344-9466 – Fax


As Krebs of KrebsonSecurity, has pointed out many times, cyber attacks and therefore defenses systems at least tend to focus on the accounts, credit cards, and other information of customers, not those of the institutions themselves.  The cyber systems of institutions, e.g., retailers and banks are minimally protected. Here’s how he put in on February 16, 2015: “Most organizations–even may financial institutions–aren’t up to defeat skilled attackers; their network security is built around ease-of-use, compliance, and/or defeating auditors and regulators.” 

Obviously these systems need further and better regulation. Insurance underwriting can provide it.  If insurers require that financial institutions to provide better–better yet, maximum–protection for their networks, rather than simply enough to protect themselves from regulators, everybody’s money and pocket books would be better off. 

Leaving itself unprotected in order to pursue its own short-term interests? So much for financial responsibility? So much for transparency?  Krebs and others have conjectured that bank losses may be has high as a $billion, and those may be just U.S. losses.  

Insurers should require this in all sorts of insurance policies, even those that are not directly connected to cyber insurance, although they should most assuredly do in in cyber policies.  I don’t see why they couldn’t be in CGL, D&O, and even vehicle policies, e.g., those for transporting ATM money.   I don’t see why they could not apply to first-party property policies, such as those for computers and buildings.  After all, a sophisticated cyber attach might affect either of these types of systems. 

Why should this be done? Because all of these “variations” will maximize protection at given points of evolving history and decrease successful attacks in all sorts of ways. 

How might this regulation work? Insurance applications should insist that applicants have the best in hack protection.  This may require special drafting.  That can be done by cyber sophisticated underwriters, or underwriting consultants, cyber forensic engineers to some extent, by experts on hacking who understand how the English language for insurance contracts works, and by the right kinds of lawyers