Sometimes being the CISO can be a no-win position. According to a recent survey by human resources and management consulting firm Heidrick & Struggles, some 36% of CISOs report to the CIO, with 18% reporting to the CTO — that is, more than half of all CISOs report to a technical corporate officer rather than the business side of the organization.
This lack of recognition by the board can diminish the CISO's ability to deliver business-imperative insights and recommendations, leaving operations to have a more commanding influence on the board than cybersecurity. Too often the CISO gets the responsibility to protect the company without the authority and budget to accomplish their task.
In today's corporate environment, one business imperative is driving boards to seek out CISOs' input, increasing their corporate recognition and empowering the CISO's position to trusted adviser: cyber insurance.
Generally speaking, negotiating cyber insurance policies falls to the general counsel, chief financial officer, or chief operations officer. Having the CISO at the table when negotiating with insurance brokers or carriers is a best practice for ensuring that insurers understand not only which security controls are in place, but why the controls are configured the way they are and the organization's strategy. That said, best practices are often ignored for reasons of expediency and lack of acceptance by other C-suite executives.
Insurers' Added Value
When CISOs meet with insurance carriers and brokers, it is to explain corporate security policies and procedures, how and why certain security protocols are followed, and technical issues in the insurance application. But having the CISO interact directly with the insurers and underwriters also can put critical threat intelligence at the CISO's fingertips that they otherwise might not have, says Jason Rebholz, CISO at cyber insurer Corvus.
Prior to joining the insurance company, Rebholz says he was neither aware of the cybersecurity resources that insurance customers have for the asking, nor of the benefits the CISO can access to do their job more effectively.
Changing a CISO's mindset from thinking of the cyber insurer as a financial partner to a threat intelligence partner creates huge benefits for both sides. The insurers benefit because an educated CISO means reduced risk for the insurance company and clients.
"[Insurers] can become an asset because they see security from a lens that is different than mine, and I can overlay that on top of my knowledge to get even better at my job," Rebholz says. "A minimum thing that every CISOs should do is just ask to talk to the insurance carrier on the resources that they have available. You would be amazed at the discounts that you can get [and] the access to experts that you can get. Most importantly here is you can start to plan ahead."
Tracie Grella, global head of cyber risk insurance at AIG, concurs that CISOs can gain significant amounts of firsthand knowledge simply by engaging their insurers in discussions about cyber threats.
"We see losses across all geographies, across all sized organizations, and all industries. We're able to take all of that information and see quickly what types of claims are being reported. What's the new trend? How are they developing?" she says. "I think there's a good partnership here between insurance carriers and CISOs. This partnership is very instrumental in helping organizations improve their security posture."
CISO at the Table
While CISOs often are included in cyber insurance discussions at large companies, small and some midsize organizations might not have a corporate CISO position and are thus at a disadvantage, especially if there is an insurance claim, notes attorney Scott Godes, partner and co-chair of the Insurance Recovery and Counseling Practice at the law firm Barnes & Thornburg LLP, as well as the co-chair of the firm's Data Security & Privacy Practice.
"In a perfect world, a CISO would take as many steps as possible, as a best practice, to engage with the claim adjuster and, if counsel for the carrier is involved, to discuss the proposed courses of action and ideally be provided with a hard yes and affirmative answer to the proposed course of action," Godes says.
Without a CISO in place, organizations have non-technologists addressing technical cybersecurity issues, potentially putting the client at risk. Because cyber insurance is a risk transference function, organizations need a strong CISO "to be in front of the board and explain the importance of the issues at hand that have been presented by the carriers overall," Godes adds.
Filling out cybersecurity insurance applications alone is no small task. AIG's Cyber Insurance — Ransomware Supplemental application is 14 pages, with many of the questions requiring a significant amount of technical expertise. Failing to answer questions correctly could see a claim denied for providing misinformation or even the organization being sued by the insurance carrier.
"Having the actual boots on the ground is critically important to filling out these insurance applications," says Marc Schein, national co-chair of the Cyber Center of Excellence and a risk management consultant at Marsh McLennan Agency.
The general counsel or chief financial officer oftentimes is the decision maker for the insurance, Schein notes, "but when we're talking about the actual representations that we're putting together for an application, we want to have the folks that are actually boots on the ground, engaged in the conversation that way, [so] there's not a material misrepresentation from the organization to the insurer, which, again, could cause a denial of claim."
The chaos faced by the cyber insurance industry facing during the pandemic has lessened, he adds. CISOs who focus on Marsh's list of key cybersecurity controls now can get better rates and terms than a year ago.