After years of trying, Risk Based Security CISO Jake Kouns finally managed to get cyber insurance the attention he thinks it deserves. He had been submitting ideas for insurance-related talks for the annual Black Hat USA event since 2012 - and had been rejected four times. But at last week's Black Hat in Las Vegas, he led one of the sessions during a dedicated micro summit about cyber insurance.
Interest and attitudes around cyber insurance has changed, according to Kouns, as more security managers and businesses of all sizes recognize its need as part of an overall security strategy. Though PWC estimates only about 30% of companies have cyber-risk insurance or cyber liability insurance coverage, the market continues to grow. According to a recent report by A.M Best, direct premiums written for both standalone and packaged cyber policies grew about 12% in 2018, from $1.8 billion to $2 billion. While this is a bit slower than the past two years, the $2 billion figure is more than double what was written in 2015.
In his session, "Integration of Cyber Insurance Into A Risk Management Program," Kouns walked attendees through some of the best practices and caveats for investing in a policy. Here are some key takeaways for CISOs to consider when evaluating, purchasing, and relying on cyber insurance.
1. If Your Organization Doesn't Already Have Cyber Insurance, It Will
Organizations are increasingly investing in cyber insurance simply because they have no choice, Kouns said. Clients are insisting their partners have insurance for compliance purposes and regulatory requirements. More and more, having cyber insurance is part of contractual requirements, he said.
Kouns also stressed that for smaller organizations that have not put a strong security program in place, cyber insurance is critical and makes financial sense.
"Typical costs for cyber insurance are currently extremely reasonable," Kouns said. "If you're a CISO and you have a breach, what do you want to say? 'Whoops, sorry?' Or, 'We have a partner, let's file a claim.'"
2. Insurance Coverage Is Not a Substitution for a Security Program
Just like you wouldn't drive recklessly in a car simply because you have auto insurance, cyber insurance should not serve as reasoning to tailor back on investing in security strategy and tools. Under no circumstances should a business purchase cyber insurance and assume it is covered without putting the time and investment into a solid security program, Kouns said.
"My concern is this is what some people hear and do. We call this a moral hazard," he said. "Effective security programs cost money."
While cyber insurance may reimburse costs, it cannot mitigate the reputational damage incurred by a breach or a security incident. Insurance will not reinstate trust from clients and customers post-breach.
3. Security Should Get Involved Early in the Insurance Process
While the conversation about insurance is often being led in other financial divisions of a company, such as at the CFO level, the security department should be involved at the outset to help evaluate policies and coverage levels, Kouns said.
"Read the policy, give your input," he said. "Help to fill out the application. I have not seen enough IT security involved in the insurance process. A broker will say, 'Don't worry about talking to your IT staff. I'll fill it out for you.' That's bad.'"
Security staff or the CISO will understand the technical language and definitions in a way that others less tech-savvy and risk-informed cannot. Security is also more qualified to identify important exclusions that may be slipped into the policy and can advise accordingly. In order to ensure the policy has the right inclusions for your specific organization's needs, security needs to be consulted on each step of the evaluation and purchasing process.
4. Ensure the Requirements of a Policy Are Fulfilled So Your Coverage Won't Be Nullified
You've got a policy and now you're covered, right? Think again. You are obligated to fulfill and have in place a number of requirements in order for that policy to cover you in the event of a breach or other security incident.
This brings us back to the importance of security's involvement in the process and a thorough understanding of both the coverage and the policy details. What does your organization need to have in place that it may be overlooking? If the policy requires it, you will be out of luck on coverage in the event of a breach if you haven't made the proper accommodations.
5. Some Elements of Your Incident Response Plan May Need to Change
Kouns stressed that certain steps in an incident response plan may need to be tweaked once a cyber insurance policy is in place. This will include your breach reporting timeline because, as Kouns pointed out, almost all policies have requirements about timely reporting.
Secondly, it is critical to develop your IT plan prior to having to use it – and test it out. While many organizations have an incident response plan in theory, a considerable number have not actually put it to the test. Are you sure yours is up to the challenge if a breach occurs?
- CISOs: How to Answer the 5 Questions Boards Will Ask You
- 2019 Pwnie Award Winners (And Those Who Wish They Weren't)
- You Gotta Reach ’Em to Teach ’Em
- Why Every Organization Needs an Incident Response Plan
Image Source: Krolone via Adobe Stock