Until now, it was relatively easy to buy a cyber policy. Just check the boxes on the short security questionnaire, pay the premium and you’re covered…right?
This approach has proven to create enormous hidden risk for both underwriters as well as the covered organizations. The risks, or gaps in a cyber policy, never surface until you are breached and file a claim. Suddenly, your claim is denied, and you’re paying everything out of pocket. You’re fully exposed. Not much different than being self-insured at that point.
The problem is organizations are depending on their cyber insurance underwriter to quantify their cyber risks. They’re expecting the underwriter (an actuary) to understand security and, more importantly, understand security in their specific environment.
In the past, there was very little cyber loss data for underwriters to reference. When we asked many actuaries how they quantified cyber risk, their response was scary. They literally licked their thumb and put it in the air. It was a guess. Barely an educated guess. They didn’t have enough data to be reliable.
The frightening part? Organizations were relying on this “quantification methodology” to protect their businesses.
What You Need To Know Now
Cyber insurance underwriters have experienced great losses, so they’re wising up very quickly and have much better data now. Not only do they require a more complete and rigored security questionnaire, but some underwriters are also requiring evidence of your security controls. They have more data on what controls are necessary to minimize cyber risks. Some underwriters are also hiring security practitioners to help them assess risk for new policy applications and renewals. It’s putting new pressure on the insureds. As an insured, you must understand your cyber risk, have controls in place and know your risk tolerance to even think about a renewal of your cyber insurance policy.
On top of the tighter underwriting requirements, cyber-attacks are exponentially increasing. Insureds are spending more time defending their environments, and resources are getting squeezed. It’s unfair when the cyber criminals are playing by no rules.
The key to developing smart cyber risk management requires understanding these critical components:
Risk Acceptance – what level of financial risk can you accept or self-insure?
Risk Mitigation – how mature is your defense-in-depth cyber strategy in monitoring, detecting, and responding to cyber-attacks?
Risk Transfer – based on your risk environment you need to know, (a) your risk tolerance & what level of risk you’re willing to accept and (b) the effectiveness of your security controls. Understanding these two will help you determine the right amount of risk to transfer (cover through cyber insurance). When you determine coverage limits, keep in mind that business disruption can result in huge losses.
Smart risk management prepares you for surprises. It means you have the right strategy in place to operate and sustain your business during a crisis. It also means that you stress-test your strategy on a regular basis.
Cyber insurance is part of a smart cyber risk management strategy. It’s not a smart “stand alone” cyber strategy!
How do you better understand your risk and leverage cyber insurance into your cyber risk strategy? Don’t rely on the underwriter to quantify your cyber risk, even if they have a security professional on staff. He/she was hired to help the underwriter manage their risk, not yours. Engage a third-party cyber expert to help you assess your enterprise cyber risk and develop a cyber risk management strategy. The few thousand dollars you spend will be substantially less than the potential hundreds of thousands of dollars you could lose from a denied cyber claim.
Other helpful resources:
Gain additional cyber insurance insights about coverages, limits, renewal and audit requirements and what to look out for in our September Cyber Defense Intelligence webinar featuring guest panelist and Cyber Liability Expert, Ralph Pasquariello.
Talk to a Pillar CISO for additional insights on cyber risk insurance do’s and don’ts
Pillar Technology Partners is on the cutting edge of cybersecurity developments. We’re committed to helping security leaders simplify, understand, assess, remediate, and operate their information security program with a unique focus on data protection. Our CISOs, Security Engineering Teams and Incident Response Teams understand how to help you simplify cyber security. To learn more contact firstname.lastname@example.org.