Cyber Insurance – You’re In Good Hands or Are You?

Published On: April 7, 2017

April 7th, 2017

Ed Snodgrass, CISO, Secure Digital Solutions

 

“He who defends everything defends nothing”, said Frederick the Great.  That’s true for security as well.  The threat landscape is so vast that the cost in people, process and technology to protect against everything is cost-prohibitive and unrealistic.  Instead, security leaders must prioritize and align defenses based on threat, risk and capability.  When it comes to cyber insurance, the best approach is to identify and secure the organization’s most critical assets and then quantify and insure the remaining risk.

Cyber insurance has been around for 20 years – starting off primarily as E&O, or Error and Omission coverage – as a bolt-on to an existing policy.  Many software and technology companies used this coverage to reduce risks such as their product disrupting a customer’s network or introducing a virus into a customer’s system.  Over time, more robust policies started to cover compromises of sensitive information – eventually evolving into the coverage today that addresses E&O, media liability, network security and privacy.  The range of features and coverage is extensive and a solid cyber insurance policy can go a long way toward supplementing your enterprise security strategy. But, it’s only a supplement – not a salvation.

While a policy is necessary, the process of scoping, pricing and acquiring cyber insurance could use some improvement.  The typical application includes a short form to determine recommended coverage type, cost and liability using metrics that may be far too rudimentary to accurately quantify the protection required.

Incorporating the concepts of good-standing and merit into the process would be an upgrade as well.  When we purchase auto insurance, for instance, the cost of the premium is typically lower if certain criteria are met (age, maturity, etc.) and we can show a lengthy span of accident-free driving.  We’re rewarded for doing things well.

Shouldn’t cyber insurance work the same way?  Is it appropriate for two similar companies with similar requirements to pay the same amount for the same coverage — if one views security and compliance as a checkmark, and the other a critical part of the business and have security programs based on those views?   In my opinion, no.

For security leaders that have invested in building a mature security program, the scope, scale and cost of the coverage should be driven by the ability to demonstrate a ‘lengthy span of accident-free driving’ using metrics – not driven by a questionnaire.  Policies should be based on how well you’ve built your program and how well you can demonstrate its alignment and effectiveness.

TrustMAPP is partnering with companies to demonstrate business alignment and program effectiveness by giving security leaders the visibility and control they need to drive safely.

See how by requesting a trial.

Browse These Topics

Tags

boost the confidence of board members boost the protection of your data bridge the gap in your information security challenges build a cyber safe firm business decisions around security CISO program efficacy CISO program management Cyber defense experts cyber security cyber security goals Cybersecurity management Cyber Security Mistakes cyber security platform effective cyber security software Effective Data Security Measures effectively communicate with board members regarding cyber issues or threats elevate your security confidence elevating information security house being robbed Identify Potential Security Weaknesses Implementing a Comprehensive Cyber Security Plan Implementing Strong Cyber Security Protocols Implementing strong security software protocols information security platform Information Security Programs information security protection agency information security risk management information security solutions Managing information security managing your information security effectively maturity of your information security and privacy programs measure security levels Proposing solutions to cyber threats proprietary software can help you to protect your company Protect Against Costly Security Breach Protect Customer Data risk assessment software risk management advisor risks of a data breach roadmap to better information security strong information security programs successful information security technology advancement top notch security software for your company vCISO