Defending technology systems against cyberattacks requires comprehensive risk management and insurance coverage.
- Mike Convertino and John Soughan
- November 2020
- The Problem: Too often cyber insurance coverage is purchased by companies without understanding their true cyberrisk exposures that leave them vulnerable to uncovered losses.
- Necessary Steps: To make organizations more resilient to cyber events, a comprehensive approach to cybersecurity risk management is essential, involving a thorough and continuous process to improve how a company assesses, prevents, protects, responds, and recovers from cybersecurity threats and attacks.
- The Solution: Insurers must close the gap between cybersecurity and insurance, thus making their insureds’ coverage more cohesive and resilient.
Independent thinking often earns praise, while independent operations can cause problems. Siloed functions can create gaps that may leave organizations vulnerable to a litany of problems.
One high stakes example is the current piecemeal approach to cybersecurity and risk management. Too often, companies haven't asked their security team to identify the residual risks that remain after security measures are implemented.
By not asking the necessary follow-up questions, they may needlessly insure against risks that are well defended, or they may miss unaddressed risks and vulnerabilities that may not be covered by their insurance program. For example, chief information security officers and IT departments may employ firewalls and breach monitoring systems, but not train users against social engineering. The chief risk officer and others buying insurance may not know the true risk exposure and fail to insure against the threat of business email compromise. The result is the company has bought insurance, but not covered its actual risk.
To make organizations more resilient to cyber events, a comprehensive approach to cybersecurity risk management is essential—a thorough and continuous process to improve how a company assesses, prevents, protects, responds and recovers from cybersecurity threats and events. Breaches happen even in companies with superior IT and security functions. Because breaches are inevitable, cyber insurance is essential to a company's ability to respond to and recover from incidents. Yet, cyber insurance is often an afterthought.
The most effective way to address the residual risk after implementation of competent cybersecurity is to fully integrate robust cyber insurance into a company's cybersecurity risk management schema. Organizations must do more than coordinate these critical functions; they should examine how cyber insurance can directly compensate for inherent vulnerabilities to prevent, protect, respond and recover from events. By failing to fully integrate cyber insurance into a comprehensive program of cybersecurity risk management, companies are significantly increasing their downside risk. Data and experience show it's essential that these functions collaborate and complement each other to drive an organization's resilience.
The number of organizations experiencing cyber incidents continues to grow, particularly among small and midsize businesses. Companies spend more than ever on cybersecurity but aren't more secure. They need help mitigating cyberrisks, and the insurance industry has the experience, tools and methodology developed over many years and many lines of business to engineer risk, provide loss control, and ultimately reduce the total cost of risk for their insureds.
Insurers see a huge growth opportunity in selling cyber policies, yet they worry about taking on too much risk as cyber threats continue to proliferate. Because of the gap between cybersecurity and cyber insurance, cyber policies tend to come with exclusions and sublimits around areas of particular concern to insurers due to recent large losses. However, insurers have the incentive and the opportunity to help companies reduce risk by improving their cyber programs. Insured companies are not only open to that potential risk reduction, they want it. In a recent survey conducted on behalf of Resilience, 90% of chief information security officers said they want and are willing to purchase cybersecurity tools from their cyber insurance provider. Moreover, they said their top cybersecurity budget priorities are cyber tools and new equipment.
The insurance industry should rethink how it builds cyber policies. With tools to better understand and monitor exposures, insurers can augment cybersecurity services with coverage tailored to a company’s specific risk profile.
Policyholders and insurers want similar outcomes, protection against cyber threats and reduced loss costs. Closing the gap between cybersecurity and insurance, and making organizations more cohesive and resilient, yields several benefits:
Businesses run better. Improving cyberrisk management practices and integrating them with cybersecurity frees organizations to pursue growth opportunities in stride, instead of taking halting steps because of vulnerabilities in their business ecosystems.
Losses are reduced. An uncovered cyber claim means an organization must bear the loss on its own. Expenses relating to cyber incidents, with or without data breach, continue to rise. Unexpected expenses are challenging for any organization, so cyber insurance that mitigates, prevents or pays for a loss is even more valuable.
Trust grows. Disputes on whether a cyber incident is covered can permanently taint, if not destroy, an organization's relationship with its insurer. That experience in turn can influence how organizations view other insurers, creating a vicious cycle. On the other hand, a close partnership whereby insurers make their customers stronger builds trust.
Cyber insurance is perceived as having greater value. When cyber insurance claim disputes arise, observers may question whether the coverage is worth buying. If the product doesn't respond when and in the way policyholders expect it to, what was the premium actually purchasing? Closing the gap between cybersecurity and risk management enables insurers to enhance the value of cyber insurance by ensuring its reliability to businesses.
Closing the Gap
Improve threat assessment. Traditionally, insurers have assessed risk by looking at historical data. That makes sense where risks change little over time. For example, physical damage to a car or a building fire a decade ago won't look much different a decade from now. Not so with cyberrisks, which continuously evolve as the world becomes more connected and reliant on digital data and hackers invent new methods of attack. Insurers need new ways of understanding, quantifying, and assessing cyber threats.
Embrace tools that enable dynamic risk evaluation. Cybersecurity technology keeps innovating, offering new methods of monitoring and measuring defense postures. It's now possible to examine cyber exposures in real time and benchmark them for specific industries.
Align coverages to customers' actual exposures. The insurance industry should rethink how it builds cyber policies. With tools to better understand and monitor exposures, insurers can augment cybersecurity services with coverage tailored to a company's specific risk profile. This approach can supply coverages and manage cyberrisks where organizations most need them.
Integrate cybersecurity into underwriting. An insurer that can work across the continuum, from risk assessment through to recovery, and that makes organizations more resilient to cyber threats, is a critical business partner.
Insurers by definition are in business for the long haul. They can offer meaningful protection and coverage for almost any risk if they have confidence that they can price the risk appropriately. Bringing together cyber security and insurance will lead to sustainable risk pricing, mutual trust and long-term resilience.
Best’s Review contributors: Mike Convertino is the chief security officer and John Soughan is product manager at Resilience. They can be reached at email@example.com.