[BreachExchange] 5 Things to Know About Cyber Insurance

Destry Winant destry at riskbasedsecurity.com
Thu Aug 15 10:02:09 EDT 2019


More businesses are recognizing the need for cyber insurance as part
of an overall security strategy. Here are some key points to consider
when evaluating, purchasing, and relying on a policy.

After years of trying, Risk Based Security CISO Jake Kouns finally
managed to get cyber insurance the attention he thinks it deserves. He
had been submitting ideas for insurance-related talks for the annual
Black Hat USA event since 2012 - and had been rejected four times. But
at last week's Black Hat in Las Vegas, he led one of the sessions
during a dedicated micro summit about cyber insurance.

Interest and attitudes around cyber insurance has changed, according
to Kouns, as more security managers and businesses of all sizes
recognize its need as part of an overall security strategy. Though PWC
estimates only about 30% of companies have cyber-risk insurance or
cyber liability insurance coverage, the market continues to grow.
According to a recent report by A.M Best, direct premiums written for
both standalone and packaged cyber policies grew about 12% in 2018,
from $1.8 billion to $2 billion. While this is a bit slower than the
past two years, the $2 billion figure is more than double what was
written in 2015.

In his session, "Integration of Cyber Insurance Into A Risk Management
Program," Kouns walked attendees through some of the best practices
and caveats for investing in a policy. Here are some key takeaways for
CISOs to consider when evaluating, purchasing, and relying on cyber

1. If Your Organization Doesn't Already Have Cyber Insurance, It Will
Organizations are increasingly investing in cyber insurance simply
because they have no choice, Kouns said. Clients are insisting their
partners have insurance for compliance purposes and regulatory
requirements. More and more, having cyber insurance is part of
contractual requirements, he said.

Kouns also stressed that for smaller organizations that have not put a
strong security program in place, cyber insurance is critical and
makes financial sense.

"Typical costs for cyber insurance are currently extremely
reasonable," Kouns said. "If you're a CISO and you have a breach, what
do you want to say? 'Whoops, sorry?' Or, 'We have a partner, let's
file a claim.'"

2. Insurance Coverage Is Not a Substitution for a Security Program
Just like you wouldn't drive recklessly in a car simply because you
have auto insurance, cyber insurance should not serve as reasoning to
tailor back on investing in security strategy and tools. Under no
circumstances should a business purchase cyber insurance and assume it
is covered without putting the time and investment into a solid
security program, Kouns said.

"My concern is this is what some people hear and do. We call this a
moral hazard," he said. "Effective security programs cost money."

While cyber insurance may reimburse costs, it cannot mitigate the
reputational damage incurred by a breach or a security incident.
Insurance will not reinstate trust from clients and customers

3. Security Should Get Involved Early in the Insurance Process
While the conversation about insurance is often being led in other
financial divisions of a company, such as at the CFO level, the
security department should be involved at the outset to help evaluate
policies and coverage levels, Kouns said.

"Read the policy, give your input," he said. "Help to fill out the
application. I have not seen enough IT security involved in the
insurance process. A broker will say, 'Don't worry about talking to
your IT staff. I'll fill it out for you.' That's bad.'"

Security staff or the CISO will understand the technical language and
definitions in a way that others less tech-savvy and risk-informed
cannot. Security is also more qualified to identify important
exclusions that may be slipped into the policy and can advise
accordingly. In order to ensure the policy has the right inclusions
for your specific organization's needs, security needs to be consulted
on each step of the evaluation and purchasing process.

4. Ensure the Requirements of a Policy Are Fulfilled So Your Coverage
Won't Be Nullified
You've got a policy and now you're covered, right? Think again. You
are obligated to fulfill and have in place a number of requirements in
order for that policy to cover you in the event of a breach or other
security incident.

This brings us back to the importance of security's involvement in the
process and a thorough understanding of both the coverage and the
policy details. What does your organization need to have in place that
it may be overlooking? If the policy requires it, you will be out of
luck on coverage in the event of a breach if you haven't made the
proper accommodations.

5. Some Elements of Your Incident Response Plan May Need to Change
Kouns stressed that certain steps in an incident response plan may
need to be tweaked once a cyber insurance policy is in place. This
will include your breach reporting timeline because, as Kouns pointed
out, almost all policies have requirements about timely reporting.

Secondly, it is critical to develop your IT plan prior to having to
use it – and test it out. While many organizations have an incident
response plan in theory, a considerable number have not actually put
it to the test. Are you sure yours is up to the challenge if a breach

More information about the BreachExchange mailing list