undefined | Better HN

0 pointsCableNinja1y ago0 comments

Thats basically the whole point actually... A company pays for insurance for the business. The insurance company says sure we will insure you, but you need to go through audits A B and C, and you need certifications X and Y to be insured by us. Those audits are often industry dependent, mostly for topics like HIPAA, PCI, SOC, etc.

Insurance company hears about supply chain attacks. Declares that insured must have supply chain validation. Company goes and gets a shiny cert.

Now when things go wrong, the company can point to the cert and go "it wasnt us, see we have the cert you told us to get and its up to date". And the company gets to wash their hands of liability (most of the time).

0 comments

landownersubgrp1y ago

What you describe is a normal process in order to minimise damage from attacks. The damage of hacking is ultimately property damage. The procedures you've described allow you to minimise it.

And that's a good thing.

77pt771y ago

> And the company gets to wash their hands of liability (most of the time).

Certification theater.

It's completely performative.

j / k navigate · click thread line to collapse