Confusion over cyber insurance leads to coverage gaps
A typical corporate cyber insurance discussion goes like this: The CEO or board chairman calls the CISO into the room and tells him that their insurers is going to pay out only 38 percent of a claim because "you didn't implement encryption on the affected applications."
The CISO says: "First, I didn't know we had cyber insurance. Second, the impacted apps are running our ATM machines and if we would have encrypted them you would have fired me because our customers wouldn't have been able to access them. I wish you would have talked to me before you implemented these policies."
A CISO unaware that his own company had acquired an insurance policy to hedge against the cyber attacks he was hired to prevent sounds more like a plot line for an episode of the HBO series "Silicon Valley” than an actual business case. But such disconnect happens frequently in the wake of breaches, according to Julian Waits Jr., CEO of PivotPoint Risk Analytics. "Insurance is purchased in silos," Waits Jr. says. "The two things that you think would go hand in hand as you deal with financial risk transfer hardly ever talk to each other."
As a result, companies are often uncertain about what is and is not covered by their policies and are often insuring the wrong things at a time when claims can be rejected for inadequate cyber security testing procedures and audits, outdated patches, inadequate cyber incident response plan and inadequate backup and recovery processes.
[ Related: What is cyber insurance and why you need it ]
Meanwhile, insurers create aggregate risk models that are more like one-size fits all policies that don't necessarily fit well with enterprise customers' particular needs. These pose major challenges at a time when PwC says global cyber insurance market could grow to $5 billion in annual premiums by 2018 and at least $7.5 billion by 2020.
For better insight into cyber insurance, Waits Jr. commissioned research with input from IT and insurers. Cyber insurance research Advisen polled 195 insurers and brokers and SANS Institute surveyed 203 information security and IT professionals for “Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey," a report written by SANS analyst Barbara Filkins.
Filkins identified four key gaps that organizations must close in order to effectively procure cyber insurance policies that suit their requirements:
Shawn Wiora says SANS' gap findings are consistent with his experience evaluating and purchasing cyber insurance policies. As CIO and CISO of nursing care facilities provider Creative Solutions in Healthcare, Wiora found many policies lacking when matched up against his own security model, which is based on the cyber framework established by the National Institute of Standards and Technology. He says that there is a tool or assessment matrix to help CISOs correlate their security postures with the policies they elect to purchase. Another challenge is that so few cyber insurance claims have been processed and made publicly available, which keeps businesses in the dark.
[ Related: Cyber insurance can be your worst nightmare, best friend ]
While cyber insurance is an issue that everybody wants to understand, no one wants to talk about it because discussing cyber risks makes people uncomfortable, says Wiora, who took steps to educate his entire C-suite about cyber risks and insurance. "There is a lot of confusion and it's such a young industry," Wiora says. "The insurers don't get it."
So, what is a CISO/CIO to do David K. Bradford, co-founder and chief strategy officer of Advisen, has an idea: “The CISO needs to be involved at a very early stage to map those exposures and to work with the risk manager to understand what those exposures are so that when the risk manager goes to the market he is able to explain it to the brokers who in turn are able to explain able to match it up with the insurers to select the correct coverage."