In our increasingly automated and digitally-reliant economy, cyber insurance is a necessary tool to mitigate the financial impact of a data breach or other damaging cyber events. Year over year, more companies are buying cyber insurance; out of 1,300 large and medium-sized U.S. companies polled in a recent survey conducted by Microsoft and Marsh, 34% currently purchase and another 22% plan on doing so in the next 12 months. Yet, despite this fact, cyber insurance remains frequently misunderstood in connection with what it covers, pricing, and how it functions in connection with a company’s broader cybersecurity strategy and controls—but it doesn’t have to be. So, with that in mind, the following is intended to provide more clarity about how cyber insurance can be a good fit if your company doesn’t already purchase it:
• Perception: “if I buy cyber insurance, I can lower my guard or decrease my investment in technical or other cyber risk mitigation controls” (i.e., the people/process/ technology solutions you have in place to shore up your risk protection).
• Reality: cyber insurance is meant to augment, not replace, your risk mitigation controls. Think of it as a financial backstop that limits the scope of loss and helps your organization quickly get back to normal business operations in the wake of a serious cyber incident.
To use an analogy, companies invest in smoke detectors and practice fire drills to limit the possibility of property damage, but they also purchase fire insurance. In a similar way, cyber insurance is a key part of your organizational cybersecurity in that it increases your cyber resiliency.
• Perception: “cyber insurance seems to be increasingly expensive, and I’m concerned about underwriters accurately pricing my risk.”
• Reality: although still “young” compared to more established insurance lines, the cyber insurance market has grown exponentially over the last decade. Based on increased market capacity, greater underwriting experience and knowledge, more claims data, and improved quantification and risk modeling tools (among other factors), cyber insurance pricing for most industries has remained largely flat or only increased incrementally over the past two years. In fact, from Q1 to Q3 2017, there was a net decrease in pricing across all industries before picking up slightly in Q4.
•Perception: “I’m not sure that a cyber insurance policy covers the range of potential vulnerabilities that my organization is facing.”
•Reality: cyber insurance is only an effective risk transfer tool if it keeps pace with the changing threat environment. In other words, it’s a good thing that policy language and coverage evolve from year to year, as that means that insurance carriers and brokers are ensuring that the product remains aligned with the risk. For example, coverage for contingent business interruption (for cyber losses incurred by a third-party services provider that your organization relies on) was either not offered or only offered partially for extra cost as recently as three years ago. Now, many go-to cyber insurance markets include it as a standard coverage at full limits for no additional cost.
Perhaps the biggest misconception about cyber insurance, however, is that it’s an issue that should be siloed within the risk management domain. To the contrary, corporate officers are increasingly engaged in cyber risk-related discussions and as the organization’s information and business leader, the CIO is uniquely situated to contribute to and shape these conversations. This is true for both internal deliberations on whether to purchase the insurance, as a component of an overall cyber risk management strategy, and for subsequent external conversations with insurance markets, where the CIO or CISO is often responsible for conveying their organization’s information practices and security controls.