Making the Most of Cyber Insurance
When cyber insurance first appeared, I wondered if it was necessary. The underwriters asked a handful of basic questions, and we had limited information to provide them. My company’s first couple of policies seemed like guesswork - for us to estimate our coverage needs, and for the insurers to assess our risk. What I have come to realize is what once felt like a necessary evil helped improve our program over time.
With the advent of ransomware bringing systems down for weeks, and billion-dollar cyber event losses, cyber insurance is not optional for most companies today. The relationship between insurers and insured needs to be detailed, strategic, and transparent. Steps to reach that level of partnership include:
Start internally to set the right mindset among your business leaders, emphasizing that cyber insurance is not just a financial backstop but a strategic component of the enterprise risk management strategy.
Look at your risk: Identify critical systems, sensitive data, third-party dependencies, threat exposures, and the potential financial impacts of cyber events. Collaborating with Internal Audit and your financial team can help make this effort most effective. Use that data to inform your insurer and identify your insurance goal.
Share transparently with your insurers: Meet with underwriters to present a thorough review of your program, providing in-depth information about your security controls and program, including details on organization, budget, key initiatives, and metrics.
Demonstrate your maturity and progress: Show how your program maps to a recognized framework like the NIST Cybersecurity Framework. Show your progress over time on your security roadmap and key initiatives. Highlight accomplishments and work on hot topics such as third-party risk, cloud security, and AI controls.
Highlight your Incident Response Plan, testing frequency, and incident response vendors.
The better your program, the better your chances of getting the “non-smoker” premium. Invest the time and treat your insurers as partners in risk management.
The next critical action is working with your Risk and Insurance, Legal, and financial leadership to ensure the proposed policy terms meet your needs. Elements to consider include:
Coverage types: How does the policy differentiate between direct losses like data restoration, business interruption, ransomware payments, and forensics and liabilities to others like legal fees, regulatory fines, and providing credit monitoring?
What is not covered: Policy exclusions can include some nation-state attacks deemed "acts of war," breaches via specific third-party software, and incidents below certain thresholds.
The insurer’s requirements and role in an event: Do you choose the External Legal Counsel, Digital Forensics and Incident Response firm, ransomware negotiators, and public communications or do they? How involved do they have to be?
You need to be aligned on all these details so there are no surprises.
How does this effort improve your program? The insurance providers’ expectations for evidence of mature controls grow with each passing year — most insurers require preconditions like network segmentation, Multi-Factor Authentication. Privileged Access Management, Endpoint Detection and Response, Incident Response Plans and exercises, and regular security audits. That can help justify security budget requests and prioritize improvements.
In addition, Senior leadership and Risk are watching the premium cost and seeing how a stronger program reduces premiums and risk. This cycle helps us raise the bar.
Pitfalls to avoid include:
Viewing insurance as a substitute for security investments. Insurance is not an alternative to strong controls – obtaining coverage and the premium size under that strategy would become cost prohibitive. I suggest looking at the security budget separately from insurance costs to keep the distinction.
Failing to loop in key stakeholders like legal, PR, or compliance.
Not understanding your coverage and policy exclusions.
By actively engaging in the cyber insurance process through collaboration, rigorous assessment, demonstrating a strong security posture, and providing transparent, detailed information to underwriters, CISOs can significantly influence the coverage and cost fit their business needs – and improve their program. Go for the non-smoker rate!
Hold Fast
Stay True