De-Mystifying Cyber Insurance

To use an analogy, companies invest in smoke detectors and practice fire drills to limit the possibility of property damage, but they also purchase fire insurance. In a similar way, cyber insurance is a key part of your organizational cybersecurity in that it increases your cyber resiliency.

• Perception: “cyber insurance seems to be increasingly expensive, and I’m concerned about underwriters accurately pricing my risk.”

• Reality: although still “young” compared to more established insurance lines, the cyber insurance market has grown exponentially over the last decade. Based on increased market capacity, greater underwriting experience and knowledge, more claims data, and improved quantification and risk modeling tools (among other factors), cyber insurance pricing for most industries has remained largely flat or only increased incrementally over the past two years. In fact, from Q1 to Q3 2017, there was a net decrease in pricing across all industries before picking up slightly in Q4.

•Perception: “I’m not sure that a cyber insurance policy covers the range of potential vulnerabilities that my organization is facing.”

•Reality: cyber insurance is only an effective risk transfer tool if it keeps pace with the changing threat environment. In other words, it’s a good thing that policy language and coverage evolve from year to year, as that means that insurance carriers and brokers are ensuring that the product remains aligned with the risk. For example, coverage for contingent business interruption (for cyber losses incurred by a third-party services provider that your organization relies on) was either not offered or only offered partially for extra cost as recently as three years ago. Now, many go-to cyber insurance markets include it as a standard coverage at full limits for no additional cost.

Perhaps the biggest misconception about cyber insurance, however, is that it’s an issue that should be siloed within the risk management domain. To the contrary, corporate officers are increasingly engaged in cyber risk-related discussions and as the organization’s information and business leader, the CIO is uniquely situated to contribute to and shape these conversations. This is true for both internal deliberations on whether to purchase the insurance, as a component of an overall cyber risk management strategy, and for subsequent external conversations with insurance markets, where the CIO or CISO is often responsible for conveying their organization’s information practices and security controls.