You are responsible for the work you put out

judge-gavel

A very interesting story I heard on the defensive security podcast this week, with potentially serious implications for us providing professional services in the IT industry.

The story has 3 actors:

  1. Financial services company Travelers
  2. Cyber insurance company Alpine Insurance
  3. Web design company Ignition Studio

And it goes something like this:
Travelers hires Ignition Studio to build and maintain a website for them.
Travelers also gets a cyber insurance policy from Alpine Insurance, in case they suffer a breach.
The Travelers website gets compromised, and Travelers indeed suffers a breach and files a $155,000 claim with Alpine Insurance.
Alpine Insurance conducts an investigation and determines that Ignition Studio was negligent in their responsibilities in maintaining the website by failing to apply critical security patches, failing to use adequate encryption around sensitive data, and failing to apply basic malware, among other issues.
Alpine Insurance sues Ignition Studio.

And that’s as far as the story goes. It’s still unfolding, so we have yet to find out how the lawsuit will end. Suffice to say, this will be a very interesting one to watch since Alpine Insurance and Ignition Studio had no interaction prior to this incident. In other words, there was no contractual relation between Ignition Studio and Alpine Insurance, but the insurance company is now suing the web design firm for negligence.
This will set a big precedent and be a big changer in the IT industry if it goes through.

Cyber security insurance is becoming more commonplace. Companies are transferring risk to insurance companies that are in the business of minimizing risk and are incentivized to catch incidents such as this one.