Why CISOs Need to Make Cyber Insurers Their Partners

In the current threat landscape, the relationship between cyber-insurance providers and potential (or even current) policyholders is often strained, at best. Organizations may perceive the lengthy and involved process, paired with rising premiums, as insurance companies taking advantage of them. Insurance companies, however, are struggling to balance soaring loss ratios that were particularly rampant a couple years ago. 

While this disconnect is troublesome, it's no surprise that we are still trying to figure things out. Cyber insurance is nascent compared with other insurance segments. The first cyber policy was written by AIG as recently as 1997. In contrast, life and property insurance is well over 250 years old, and auto insurance more than 125 years old. It's natural for there to be some growing pains in a process that is relatively new and evolving at a rate incomprehensible compared with areas like life or property insurance. The good news is we aren't that far off from finding a comfortable position for both providers and policyholders. The key is to remember that we are all in this together. In fact, one of the biggest mistakes chief information security officers (CISOs) can make is not treating their insurance providers as a partner. 

How We Got Here 

It's useful to have a brief idea of how the industry developed so we have an appreciation for the current challenges. At its start, cyber-insurance premiums were almost entirely based on gut instinct, but that obviously was untenable long term. Thus, a system driven by macro-views was developed, where claims expectations were based on overall market losses applied across a pool of insureds.

The problem with this approach, however, is that claims quickly started to exceed projections and insurers observed that the risk of loss was concentrated among a subset of policyholders. Additionally, insurers became concerned about systematic or correlation risk, where a loss on one policy increased the likelihood of claims against other policies. Things were quickly getting out of hand for insurers. 

The next development that brings us to our current situation is the underwriting process itself. To mitigate the losses driven by macro-view-based policies, insurance applications have become significantly more complex and require detailed conversations, interviews, and site visits, with the goal of creating a tailored policy. Organizations often are required to meet specific threshold conditions, such as utilizing multifactor authentication and endpoint detection and response capabilities, and must pass an “outside-in” scan of their environment, which is done by a neutral third party.

The trouble is that IT estates are in a constant state of flux throughout the policy period, which makes getting truly accurate and nuanced information via a questionnaire nearly impossible — even for organizations that are attempting to provide the most accurate and detailed information. This has created an environment where there is substantial volatility in pricing and policy terms, leading to much of the tension between insurers and policyholders. 

Where We Need to Go 

To truly become partners, organizations and insurers first need to agree upon a common goal: risk reduction. This should be the easy part. The current underwriting process is trying to establish risk, but it has been unable to reliably pin it down for individual organizations. On the insured side, CISOs are regularly framing budgetary conversations to the board in terms of risk, so there is agreed upon terminology.

The missing piece is establishing a way to measure risk that both sides are satisfied with so policy pricing can be based upon it. The only way I see to accomplish this is through the sharing of electronically gathered metrics from inside an applicant organization's firewall that examines cyber posture. Unlike manually completed questionnaires, this data can provide a reliable snapshot of the environment. It's the difference between having an eyewitness to an event and a high-resolution recording of it — there really is no comparison between the two.

The reason this theme of partnership keeps coming up is it is a big ask for any CISO to share this kind of private information, especially if they are concerned that the information they provide will be used against them to increase premiums. From working closely with a large number of insurers, that isn't the motivation of any cyber insurers I know. They, like cybersecurity professionals across the industry, are simply trying to get their bearings in a constantly changing environment, and this radical transparency will be of benefit to the insured.

Once the insurers have that snapshot, they will be able to examine it and respond with details around key findings and prioritized remediation advice, allowing the applicant to make those adjustments and resubmit to get a better policy price.

At the end of the day, insurance providers and CISOs are all on the same team, so one of my biggest pieces of advice to CISOs: Treat your cyber-insurance carrier as a partner. Developing a strong relationship and engaging in regular dialogue will improve the renewal and claims process. Remember, nobody has more data on cybersecurity risk and losses than a cyber-insurance carrier.