April 7th, 2017
Ed Snodgrass, CISO, Secure Digital Solutions
“He who defends everything defends nothing”, said Frederick the Great. That’s true for security as well. The threat landscape is so vast that the cost in people, process and technology to protect against everything is cost-prohibitive and unrealistic. Instead, security leaders must prioritize and align defenses based on threat, risk and capability. When it comes to cyber insurance, the best approach is to identify and secure the organization’s most critical assets and then quantify and insure the remaining risk.
Cyber insurance has been around for 20 years – starting off primarily as E&O, or Error and Omission coverage – as a bolt-on to an existing policy. Many software and technology companies used this coverage to reduce risks such as their product disrupting a customer’s network or introducing a virus into a customer’s system. Over time, more robust policies started to cover compromises of sensitive information – eventually evolving into the coverage today that addresses E&O, media liability, network security and privacy. The range of features and coverage is extensive and a solid cyber insurance policy can go a long way toward supplementing your enterprise security strategy. But, it’s only a supplement – not a salvation.
While a policy is necessary, the process of scoping, pricing and acquiring cyber insurance could use some improvement. The typical application includes a short form to determine recommended coverage type, cost and liability using metrics that may be far too rudimentary to accurately quantify the protection required.
Incorporating the concepts of good-standing and merit into the process would be an upgrade as well. When we purchase auto insurance, for instance, the cost of the premium is typically lower if certain criteria are met (age, maturity, etc.) and we can show a lengthy span of accident-free driving. We’re rewarded for doing things well.
Shouldn’t cyber insurance work the same way? Is it appropriate for two similar companies with similar requirements to pay the same amount for the same coverage — if one views security and compliance as a checkmark, and the other a critical part of the business and have security programs based on those views? In my opinion, no.
For security leaders that have invested in building a mature security program, the scope, scale and cost of the coverage should be driven by the ability to demonstrate a ‘lengthy span of accident-free driving’ using metrics – not driven by a questionnaire. Policies should be based on how well you’ve built your program and how well you can demonstrate its alignment and effectiveness.
TrustMAPP is partnering with companies to demonstrate business alignment and program effectiveness by giving security leaders the visibility and control they need to drive safely.
See how by requesting a trial.