Cyber Insurance – You’re In Good Hands or Are You?

Published On: April 7, 2017

April 7th, 2017

Ed Snodgrass, CISO, Secure Digital Solutions

 

“He who defends everything defends nothing”, said Frederick the Great.  That’s true for security as well.  The threat landscape is so vast that the cost in people, process and technology to protect against everything is cost-prohibitive and unrealistic.  Instead, security leaders must prioritize and align defenses based on threat, risk and capability.  When it comes to cyber insurance, the best approach is to identify and secure the organization’s most critical assets and then quantify and insure the remaining risk.

Cyber insurance has been around for 20 years – starting off primarily as E&O, or Error and Omission coverage – as a bolt-on to an existing policy.  Many software and technology companies used this coverage to reduce risks such as their product disrupting a customer’s network or introducing a virus into a customer’s system.  Over time, more robust policies started to cover compromises of sensitive information – eventually evolving into the coverage today that addresses E&O, media liability, network security and privacy.  The range of features and coverage is extensive and a solid cyber insurance policy can go a long way toward supplementing your enterprise security strategy. But, it’s only a supplement – not a salvation.

While a policy is necessary, the process of scoping, pricing and acquiring cyber insurance could use some improvement.  The typical application includes a short form to determine recommended coverage type, cost and liability using metrics that may be far too rudimentary to accurately quantify the protection required.

Incorporating the concepts of good-standing and merit into the process would be an upgrade as well.  When we purchase auto insurance, for instance, the cost of the premium is typically lower if certain criteria are met (age, maturity, etc.) and we can show a lengthy span of accident-free driving.  We’re rewarded for doing things well.

Shouldn’t cyber insurance work the same way?  Is it appropriate for two similar companies with similar requirements to pay the same amount for the same coverage — if one views security and compliance as a checkmark, and the other a critical part of the business and have security programs based on those views?   In my opinion, no.

For security leaders that have invested in building a mature security program, the scope, scale and cost of the coverage should be driven by the ability to demonstrate a ‘lengthy span of accident-free driving’ using metrics – not driven by a questionnaire.  Policies should be based on how well you’ve built your program and how well you can demonstrate its alignment and effectiveness.

TrustMAPP is partnering with companies to demonstrate business alignment and program effectiveness by giving security leaders the visibility and control they need to drive safely.

See how by requesting a trial.

Browse These Topics

Tags

boost the protection of your data bridge the gap in your information security challenges build a cyber safe firm business decisions around security Challenges Facing Chief Information Security Officers CISO program efficacy CISO program management cyber security cyber security goals Cybersecurity management Cyber Security Mistakes cybersecurity performance management cyber security platform cyber security team Effective Data Security Measures effectively communicate with board members regarding cyber issues or threats elevate your security confidence elevating information security elevating your information security levels Identify Potential Security Weaknesses Implementing a Comprehensive Cyber Security Plan Implementing Strong Cyber Security Protocols Implementing strong security software protocols improve cyber security protocols Information Security Programs information security protection agency information security risk management information security solutions information security trends managing your information security effectively maturity of your information security and privacy programs measure security levels measure your security proprietary software can help you to protect your company Protect Against Costly Security Breach Protect Customer Data Protect Cyber Network risk management advisor risks of a data breach roadmap to better information security robust security monitoring service successful information security technology advancement top notch security software for your company traveling to high risk countries