Editor’s note: The following is a guest article from Peter Hedberg, VP of cyber underwriting, Corvus Insurance, a wholly owned subsidiary of The Travelers Companies, Inc.
Traditionally those in charge of managing corporate insurance programs have been from finance, HR and facilities departments.
Application questions for traditional policies like commercial property, health and general liability are fairly straightforward: How many employees are on the payroll? How many vehicles are in the fleet?
But when it comes to assessing policies and applying for cyber insurance, the questions and considerations become more complex. It’s imperative that companies have the right people in the room when evaluating cyber insurance.
Increased cyber risk drives need to assess coverage
We’ve seen increases in the frequency and severity of ransomware attacks, data breaches and other cybersecurity incidents, which puts a focus on cyber insurance.
Coverage is designed to help an organization mitigate exposure through risk transfer, and it does this by helping cover costs associated with data recovery, business interruptions and other losses after a cyber-related incident. It differs from general liability insurance, which generally excludes cyber events.
Put simply, cyber exposure should be treated just as seriously as a fire event, each with a high potential to disrupt business for extended periods of time.
A 2023 Forrester Research report found that 83% of enterprise security decision makers say that their firm has some form of cyber insurance coverage, yet only 26% of organizations had a standalone cyber policy.
One explanation for this lower uptake may be a lack of knowledge about these policies. Common misconceptions include companies thinking they have adequate protection through their business liability or business owner policy (BOP), attacks only happen to large companies or failing to understand the true costs of a breach when weighing the cost benefits.
That’s why chief information security officers and those in charge of cybersecurity should take the lead when evaluating cyber insurance.
Offense is the best defense
Whether a company is evaluating cyber insurance for the first time or comparing policies at renewal, step one is to have strong security controls in place and an incident-response plan that helps protect and defend against attacks and breaches.
Not only do strong controls help mitigate risk, they also help with companies’ insurability.
Almost half of organizations with a cyber insurance policy had to enhance their security posture to meet the insurer’s requirements, and 30% of companies made changes to be eligible for the policy, compared to 22% a year ago, according to a recent Netwrix report. One in five respondents say they implemented additional security measures to reduce the cost of a policy.
This is precisely why those in charge of the organization’s cybersecurity need to be front and center when it comes to cyber insurance.
At a minimum, companies need to put in place:
- Multifactor authentication
- Patch management
- A robust backup strategy
- Endpoint detection and response
- Company-wide education and training
The role of the CISO in evaluating cyber insurance
The evaluation of a cyber insurance policy and provider needs to rest with the CISO or the top security leader in your organization. CISOs are in the best position to:
- Evaluate “what you get,” including value-added services. For example, does your policy provide access to risk advisors who flag cybersecurity blind spots, proactively provide risk insights, analysis and hands-on help in the event of an attack or breach?
- Compare coverage for key cyber events.
- Answer questions related to the company’s existing security controls and cyber risk posture.
While the CISO should run point for cyber insurance evaluation, include experts from IT, legal, finance and other areas as needed to shore up:
- Risk assessment of third-party and supply chain vulnerability. This is an opportune time to inventory and review contracts with third-party providers. Recent high-profile attacks of supply chain providers in multiple industries (e.g., software, healthcare, automotive) illustrate the need for companies to assess cyber risk through these channels.
- Potential liabilities related to privacy and data management. Policy evaluation and renewal is a good time to evaluate privacy and data management practices. Is there a compelling business or compliance purpose to hang onto data? If not, does doing so create legal liabilities? Are your data backups robust and secure?
CISOs should use policy evaluations and renewals as an educational opportunity with leadership to inform them why proactive security measures require the proper funding to reduce risk and create better insurability.
The costs of securing the digital perimeter may seem high, but the costs of a data breach or attack are likely much higher. The real cost goes beyond rising ransomware payments and includes increased legal and IT costs, expedited security controls, brand and company reputation, and more.
Consult with your cyber insurance broker and insurer to make sure you understand the scope of coverage to avoid gaps in protection. Companies often purchase insurance policies that do not adequately cover the full extent of their cybersecurity risks.
The CISO or security leader can help assess the data and systems the company is protecting and recommend investments to increase resilience. They are in a better position to understand what systems are likely to be targeted by ransomware attacks, what systems should be covered and what downtime costs.
Build trust between your insurance broker, the insurer and your company. Instead of an antagonistic relationship that is often viewed as an affront on the company’s security posture, look for opportunities to educate leadership on the importance of cyber insurance and to implement recommended risk mitigation strategies.
Take advantage of value-added services from your insurer such as access to a team of cyber experts for proactive risk prevention services and real-time threat intelligence.
Cyber insurance can be an effective tool for companies, yet the evaluation, application process and management may seem confusing or complex. Let the CISO take the lead to ensure your policy provides adequate protection for cyber events and robust security controls for proactive risk mitigation and increased insurability.