Risk

6/29/2016
02:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

How To Bridge The Cyber Insurance Gap

CISOs and insurance executives must unite and create more defined terminology and expectations for cyber insurance.

The information security and insurance businesses traditionally have worked in parallel with one another, but with the rise of high-profile security breaches the two industries are being forced to work more in concert.

A new study by the SANS Institute and insurance research group Advisen seeks to bring both groups together. The survey, commissioned by PivotPoint Risk Analytics, polled 203 IT security professionals and 194 insurance industry executives.

SANS/Advisen’s report found that for starters, a terminology gap exists between information security professionals and insurance providers on the definition of simple terms such as “risk” and “data breach.”

According to the survey, only 38% of respondents involved in the decision to purchase cyber insurance believe there’s a common language of cyber risk between themselves and their insurance representative, and 55% say they lack a common language with which to communicate about cyber insurance.   

Barbara Filkins, the SANS senior analyst who headed the study for SANS, says it’s much more difficult to quantify coverage in cyber insurance.

“In a fire, there is a beginning, middle and end, and it’s something people can see,” Filkins says. With a cyber incident, it may take several months after malware infiltrates a network before a company experiences any negative impact, then even once security pros remediate the attack, the threat may still be lurking.

David K. Bradford, co-founder and chief strategy officer at Advisen, says the survey was an attempt to bring both industries together.

“While no authoritative group has emerged, what we’ve found is that more CISOs are attending the technology track sessions at our insurance conferences and more insurance executives are attending some of the more technical trade shows,” he says. “I think realistically, that’s how it’s going to develop for now.”

Filkins, Bradford, and PivotPoint CEO Julian Waits each weighed in on how security pros and insurance executives can more closely work together. Here are three ways:

1. Bridge the communication gap. Keep in mind that the first cyber insurance policies were written as recently as the 1990s, so it’s a new field. Today there are 61 companies that offer cyber insurance, but nobody defines terms in quite the same way. For example, one policy may cover a company for a data breach, while the other will cover for a network security wrongful act. Both terms may or may not be the same thing, depending on the policy, it’s not always clear. The University of Cambridge in the United Kingdom has been working on developing common terminology for cyber insurance, but nothing has been released and it would mostly be recommendations, nothing binding.

Action item: CISOs must be more involved in helping define terms for cyber insurance as well as selecting policies, and large companies need to get the corporate risk managers involved as well. The study found the that while CISOs are involved in the cyber insurance process, 50% of decisions on cyber insurance were made by top management. But that may change as CISOs and other IT executives get more involved in the final decision-making process on cyber insurance.

2. Develop a baseline cyber insurance policy. The study found that the security investments made by companies do not always align with the criteria and priorities of underwriters. In fact, of the 26 policies examined by the University of Cambridge, no two polices had the same level of coverage. However, eight of the policies offered coverage for CEO fraud events, and the majority covered ransomware events.

 

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

Action item: CISOs need to consider the impact of their technology decisions on cyber insurance. Today, there’s no one single baseline standard for what a policy should contain. CISOs must work more closely to explain their requirements so the underwriters understand the impact of various security events.   

3. Educate CISOs on the role of insurance. Only 14% of insurance brokers say that CISOs understand the value of insurance very well. And nearly 40% of the security pros surveyed by SANS say that they don’t understand the characteristics and limits of the company’s cyber insurance coverage.     

Action item: Underwriters -- and especially brokers -- need to communicate effectively with CISOs on the role insurance plays following a cyber event. It’s here that brokers can be most effective. As the intermediaries between CISOs and the corporate risk managers on one side, and the underwriters on the insurance side, brokers can educate both sides on the needs of the other. Companies looking for cyber insurance should lean on the brokers because they have the expertise on what the different policies actually cover.  

Related Content:

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
skannry
50%
50%
skannry,
User Rank: Author
9/1/2016 | 10:16:22 PM
The gap needs to be bridged indeed
Great article, and study, relating to one of the biggest impediments in allowing the insurance industry to achieve it's risk engineering potential for cyber.  Bridging the gap and fostering a collaborative relationship between insurers and CISOs can help the insurance industry do for cyber risk what it did for maritime and property risk.   
insurance12
50%
50%
insurance12,
User Rank: Apprentice
7/18/2016 | 7:39:51 AM
Insurance
Great post.Thanks for sharing it with us.
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17300
PUBLISHED: 2018-09-21
Stored XSS exists in CuppaCMS through 2018-09-03 via an administrator/#/component/table_manager/view/cu_menus section name.
CVE-2018-17301
PUBLISHED: 2018-09-21
Reflected XSS exists in client/res/templates/global-search/name-field.tpl in EspoCRM 5.3.6 via /#Account in the search panel.
CVE-2018-17302
PUBLISHED: 2018-09-21
Stored XSS exists in views/fields/wysiwyg.js in EspoCRM 5.3.6 via a /#Email/view saved draft message.
CVE-2018-17292
PUBLISHED: 2018-09-21
An issue was discovered in WAVM before 2018-09-16. The loadModule function in Include/Inline/CLI.h lacks checking of the file length before a file magic comparison, allowing attackers to cause a Denial of Service (application crash caused by out-of-bounds read) by crafting a file that has fewer than...
CVE-2018-17293
PUBLISHED: 2018-09-21
An issue was discovered in WAVM before 2018-09-16. The run function in Programs/wavm/wavm.cpp does not check whether there is Emscripten memory to store the command-line arguments passed by the input WebAssembly file's main function, which allows attackers to cause a denial of service (application c...