Cyber Insurance – You’re In Good Hands or Are You?

Published On: April 7, 2017

April 7th, 2017

Ed Snodgrass, CISO, Secure Digital Solutions


“He who defends everything defends nothing”, said Frederick the Great.  That’s true for security as well.  The threat landscape is so vast that the cost in people, process and technology to protect against everything is cost-prohibitive and unrealistic.  Instead, security leaders must prioritize and align defenses based on threat, risk and capability.  When it comes to cyber insurance, the best approach is to identify and secure the organization’s most critical assets and then quantify and insure the remaining risk.

Cyber insurance has been around for 20 years – starting off primarily as E&O, or Error and Omission coverage – as a bolt-on to an existing policy.  Many software and technology companies used this coverage to reduce risks such as their product disrupting a customer’s network or introducing a virus into a customer’s system.  Over time, more robust policies started to cover compromises of sensitive information – eventually evolving into the coverage today that addresses E&O, media liability, network security and privacy.  The range of features and coverage is extensive and a solid cyber insurance policy can go a long way toward supplementing your enterprise security strategy. But, it’s only a supplement – not a salvation.

While a policy is necessary, the process of scoping, pricing and acquiring cyber insurance could use some improvement.  The typical application includes a short form to determine recommended coverage type, cost and liability using metrics that may be far too rudimentary to accurately quantify the protection required.

Incorporating the concepts of good-standing and merit into the process would be an upgrade as well.  When we purchase auto insurance, for instance, the cost of the premium is typically lower if certain criteria are met (age, maturity, etc.) and we can show a lengthy span of accident-free driving.  We’re rewarded for doing things well.

Shouldn’t cyber insurance work the same way?  Is it appropriate for two similar companies with similar requirements to pay the same amount for the same coverage — if one views security and compliance as a checkmark, and the other a critical part of the business and have security programs based on those views?   In my opinion, no.

For security leaders that have invested in building a mature security program, the scope, scale and cost of the coverage should be driven by the ability to demonstrate a ‘lengthy span of accident-free driving’ using metrics – not driven by a questionnaire.  Policies should be based on how well you’ve built your program and how well you can demonstrate its alignment and effectiveness.

TrustMAPP is partnering with companies to demonstrate business alignment and program effectiveness by giving security leaders the visibility and control they need to drive safely.

See how by requesting a trial.

Browse These Topics


Assess Company's Security Readiness automate and visualize information security risk management better understanding of their information security management boost the confidence of board members boost the protection of your data corporation’s information security create a security roadmap cyber attack Cyber defense experts cyber security determining cyber risks developing security programs across the business Easy to Understand Data Security Solution effective cyber security software Effective Data Security Measures Good Cyber Hygiene guide development of a strong information security high quality cyber security tools house being robbed Identify Potential Security Weaknesses information security dashboard information security management information security managers information security platform Information Security Programs maintain advanced cyber security maintain the control and strength of your firm’s cyber security manage security programs success Managing information security prioritize security functions professional information security Progressive Data Security Solutions Proposing solutions to cyber threats reliable cyber security platform reliable information security dashboard responsibilities of a CISO risk assessment software stay ahead of potential cyber threats strengthening your company’s security measures strength of your company’s information security strong information security programs vCISO Visualization of Information Security Risk Management Visualize Information Security Risks visual representation of security risk in an organization