Risk

6/29/2016
02:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

How To Bridge The Cyber Insurance Gap

CISOs and insurance executives must unite and create more defined terminology and expectations for cyber insurance.

The information security and insurance businesses traditionally have worked in parallel with one another, but with the rise of high-profile security breaches the two industries are being forced to work more in concert.

A new study by the SANS Institute and insurance research group Advisen seeks to bring both groups together. The survey, commissioned by PivotPoint Risk Analytics, polled 203 IT security professionals and 194 insurance industry executives.

SANS/Advisen’s report found that for starters, a terminology gap exists between information security professionals and insurance providers on the definition of simple terms such as “risk” and “data breach.”

According to the survey, only 38% of respondents involved in the decision to purchase cyber insurance believe there’s a common language of cyber risk between themselves and their insurance representative, and 55% say they lack a common language with which to communicate about cyber insurance.   

Barbara Filkins, the SANS senior analyst who headed the study for SANS, says it’s much more difficult to quantify coverage in cyber insurance.

“In a fire, there is a beginning, middle and end, and it’s something people can see,” Filkins says. With a cyber incident, it may take several months after malware infiltrates a network before a company experiences any negative impact, then even once security pros remediate the attack, the threat may still be lurking.

David K. Bradford, co-founder and chief strategy officer at Advisen, says the survey was an attempt to bring both industries together.

“While no authoritative group has emerged, what we’ve found is that more CISOs are attending the technology track sessions at our insurance conferences and more insurance executives are attending some of the more technical trade shows,” he says. “I think realistically, that’s how it’s going to develop for now.”

Filkins, Bradford, and PivotPoint CEO Julian Waits each weighed in on how security pros and insurance executives can more closely work together. Here are three ways:

1. Bridge the communication gap. Keep in mind that the first cyber insurance policies were written as recently as the 1990s, so it’s a new field. Today there are 61 companies that offer cyber insurance, but nobody defines terms in quite the same way. For example, one policy may cover a company for a data breach, while the other will cover for a network security wrongful act. Both terms may or may not be the same thing, depending on the policy, it’s not always clear. The University of Cambridge in the United Kingdom has been working on developing common terminology for cyber insurance, but nothing has been released and it would mostly be recommendations, nothing binding.

Action item: CISOs must be more involved in helping define terms for cyber insurance as well as selecting policies, and large companies need to get the corporate risk managers involved as well. The study found the that while CISOs are involved in the cyber insurance process, 50% of decisions on cyber insurance were made by top management. But that may change as CISOs and other IT executives get more involved in the final decision-making process on cyber insurance.

2. Develop a baseline cyber insurance policy. The study found that the security investments made by companies do not always align with the criteria and priorities of underwriters. In fact, of the 26 policies examined by the University of Cambridge, no two polices had the same level of coverage. However, eight of the policies offered coverage for CEO fraud events, and the majority covered ransomware events.

 

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

Action item: CISOs need to consider the impact of their technology decisions on cyber insurance. Today, there’s no one single baseline standard for what a policy should contain. CISOs must work more closely to explain their requirements so the underwriters understand the impact of various security events.   

3. Educate CISOs on the role of insurance. Only 14% of insurance brokers say that CISOs understand the value of insurance very well. And nearly 40% of the security pros surveyed by SANS say that they don’t understand the characteristics and limits of the company’s cyber insurance coverage.     

Action item: Underwriters -- and especially brokers -- need to communicate effectively with CISOs on the role insurance plays following a cyber event. It’s here that brokers can be most effective. As the intermediaries between CISOs and the corporate risk managers on one side, and the underwriters on the insurance side, brokers can educate both sides on the needs of the other. Companies looking for cyber insurance should lean on the brokers because they have the expertise on what the different policies actually cover.  

Related Content:

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
skannry
50%
50%
skannry,
User Rank: Author
9/1/2016 | 10:16:22 PM
The gap needs to be bridged indeed
Great article, and study, relating to one of the biggest impediments in allowing the insurance industry to achieve it's risk engineering potential for cyber.  Bridging the gap and fostering a collaborative relationship between insurers and CISOs can help the insurance industry do for cyber risk what it did for maritime and property risk.   
insurance12
50%
50%
insurance12,
User Rank: Apprentice
7/18/2016 | 7:39:51 AM
Insurance
Great post.Thanks for sharing it with us.
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19349
PUBLISHED: 2018-11-17
In SeaCMS v6.64, there is SQL injection via the admin_makehtml.php topic parameter because of mishandling in include/mkhtml.func.php.
CVE-2018-19350
PUBLISHED: 2018-11-17
In SeaCMS v6.6.4, there is stored XSS via the member.php?action=chgpwdsubmit email parameter during a password change, as demonstrated by a data: URL in an OBJECT element.
CVE-2018-19341
PUBLISHED: 2018-11-17
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample because of a "Read Access Violation near NULL starting at FoxitReader...
CVE-2018-19342
PUBLISHED: 2018-11-17
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample because of a "Read Access Violation starting at U3DBrowser+0x00000000...
CVE-2018-19343
PUBLISHED: 2018-11-17
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read), obtain sensitive information, or possibly have unspecified other impact via a U3D sample because of a "Data from Faul...