10 CISOs Say Cyber Insurance is Growing and Evolving, but Adoption Comes with Caveats
Ten CISOs from across industries share insight on the future of cyber insurance and tips for success. Most CISOs agree the market for cyber insurance is growing and evolving. However, the adoption of cyber insurance comes with a number of caveats, making it imperative for CISOs to take an active role in procuring policies.
Read their insights here:
Delta Dental of New Jersey Head of Information Security
Due to recent high profile breaches wreaking havoc on many enterprises, cyber insurance will be gaining velocity and popularity. The Board and the C-Suite will have an appetite for reducing risk, in part, by offloading it to insurance providers. Government agencies and insurance companies are already at work establishing guidelines to support the growth of the cyber insurance market.
Solutions providers will also accelerate the increased adoption of cyber insurance policies. They will tout the promise of reduced premiums for enterprises that adopt their solutions to demonstrate proof of having critical security controls in place.
Regardless of the size of the business, cyber insurance is becoming a necessity as it provides much needed protection in the event of an incident. Much like health insurance offers a safety net for families, cyber insurance will help a CISO rest easier and focus on the business at hand.
Principal Financial Group CISO
When buying insurance, you know what you plan to protect – your car, your home, your income for example. When considering buying cyber insurance, you should also know what you plan to protect. Where are the assets you consider most important to your company and what is the current state of controls protecting those assets?
You should consider insuring your technology infrastructure, including any external service providers such as data centers, cloud services, or third party service providers with access to those assets.
Like other assessments, the process of cyber insurance underwriting is essentially a point in time review. The cyber insurer will have many questions about your controls. Similar to external threats, internal control structures are constantly evolving. All parties should be sure there are clear guideposts for handling changes related to technology infrastructure – on premises, in the cloud or provided in other ways outside of your organization.
We all buy insurance for things we hope will never occur. In the case of a breach, the worst case scenario would be to find out your insurance was voided due to a contractual issue, related to a control change or not following the proper process to file the claim. If you buy insurance, be sure all stakeholders have a clear understanding of internal impacts.
I believe there are great benefits in obtaining cyber insurance. It can only contribute in a positive way to a security organization. Most policies will provide a CISO with yet another point of validation and third party reflection on the overall security program, which can never hurt.
Additionally, most policies allow for the CISO client to take advantage of free services such as risk assessments and other resources to aid the security program, and as we all know, supplemental resources within security are always welcome.
So, where is the market going in 2016 and beyond? I feel that it is evolving and maturing. One could say it has had a challenging start, with many unknowns, confusion and lack of expertise on both sides of transactions.
But I anticipate that will change drastically in 2016 as underwriters gain experience, security organizations work to retain cyber talent and improve the cyber insurance review process, and customers start to ask and require insurance policies from their suppliers and partners. The market is begging to stabilize, as policies within post-breach organizations get exercised and tested.
Live Nation Entertainment CISO
I think it’s necessary and smart for every company to have a policy with a reputable carrier; but the challenge the industry faces is the actuarial model that insurance companies rely on is not capable of predicting who or what is at risk. Big company? Small company? Healthcare? Retail? Government? Yes, yes and yes. And – no, no and no.
We’ve seen companies who have mature, robust, well-funded security programs be successfully breached. And, there are obviously companies with minimum security programs have no problems at all.
As a result, it mostly turns into a big guessing game for both the carriers and the companies who wish to purchase policies. With the hard costs of cyber intrusions on the rise, shopping around for the right deal with the right partner is absolutely necessary for any company looking to buy a policy.
ASRC Federal CISO
Cyber Insurance is an important topic for the CISO to discuss with the organization. Traditional insurance policies are beginning to specifically exclude cyber breaches. If an organization is not paying close attention for these changes, they could find themselves without adequate coverage in the event of a breach.
It is important to note that cyber insurance does not remove an organization’s responsibility to adequately protect the data and IT Systems within the organization commensurate with their value. If a breach occurs and an organization has not done its due diligence, they may find themselves without any protection.
Fairfax County CISO
The area of cyber liability insurance is growing exponentially, yet there is little data to show it is worth the cost. To make this determination, CISOs must be able to answer the following: If you are breached – based on the data and legal requirements – can your organization afford the costs of identity protection, notification of individuals, recovery of data, etc…? The costs of these processes will add up quickly for an enterprise.
Cyber insurance, if procured correctly, can truly help offset those costs. What cyber insurance cannot do is repair the reputation of an entity once it is publicly announced a breach or successful hack occurred and records were exposed etc…
Cyber insurance is an important consideration when selecting third-party vendors as well. If cloud services are being used and data is being stored in the cloud, it is imperative that the cloud service provider have cyber insurance that would cover a breach, hack or exposure of your data stored there. In my experience, cloud service providers often have or are in the process of acquiring cyber insurance, but they prefer to not disclose coverage unless customers insist on it being there and available.
Cyber Insurance is a necessary evil, so to speak. As I stated earlier, it helps to offset costs of recovery, mitigation, notification etc…but does nothing to help the damage to reputation.
Zephyr Health CISO
The cyber insurance market is hot and is here to stay, so be weary of anyone who says cyber insurance offerings are too expensive for insurance companies to maintain. However, I do foresee the insurance companies evolving to the point they specify or require types of security and risk frameworks a company must have in place in order for the company to become insured.
Requiring adherence to a framework, in my mind, is a sound business principle for the insurer, but I do not think it is appropriate for insurers to specify which frameworks are required – a decision best made by the insured. Unfortunately, because carrying cyber insurance is almost always required these days, the insurance companies would undoubtedly have leverage should they move in that direction.
BioReference Labs CISO
Insurance carriers underwrite cyber policies that cover liability related to data breaches and major security incidents, which can be costly to identify, contain, resolve and recover. In addition to data loss and interruption of business operations, these events can cause damage to electronic and/or physical property, bodily injury and the organization’s brand reputation.
Therefore, it is imperative that insurers and insurance buyers understand which risks are explicitly covered, which may not be covered and which may be specifically excluded.
Many insurance buyers may believe that existing insurance policies will work for cyber risks, but there are generally gaps in that coverage. The policy must include cyber-specific language as an effective way of covering gaps which conventional policies do not cover. It is important for CISOs to understand their organization’s existing policy and be an active influencer in the buying process.
Bank of Tokyo-Mitsubishi UFJ Ltd. Vice President of Enterprise Security
We all need Cyber Insurance. As they say, it’s not if, but when, you will be breached. Will your policy provide the kind of coverage you need when this happens? That is the real question.
Cyber insurance will generally cover claims, regulatory fines and penalties, PCI fines and penalties, liability and remediation costs.
Still in its adolescence, cyber insurance policies are generally plagued by the following:
- Coverage with gaps that may leave you out in the cold
- Lack of understanding what your company’s risk appetite really is
- Lack of standard forms
- Too many conditions and exclusions
- No “one-size-fits-all” approach
Cyber Insurance just can’t keep up with the threat landscape – at least at the present time – with how complex the policies are.
We need to understand, collectively, how breaches happen and why. Do we need to share information on data breaches? There is a call in the industry for this to happen. Should the government step in?
Don’t you want to know what you are getting for what you are paying for? Cyber Insurance needs to grow up – and soon!
University of Massachusetts CISO
Today’s cyber insurance coverage is primarily for (1) forensics – determining root cause of a potential data breach as well as whether or not records were compromised; and (2) credit monitoring – providing free credit monitoring to breach victims.
Cyber insurance is evolving to cover damages to corporations who have been breaches, such as liabilities. However, in order to receive this type of insurance coverage, corporations will be required to implement and maintain a strong cybersecurity program that complies with requirements established by the insurance companies.
By implementing a strong set of security controls, the risk of a security incident will be minimized, reducing the likelihood of a data breach. So, in order to get insurance, companies will need to prove that they comply with requirements established by the insurance companies.