The information security and insurance businesses traditionally have worked in parallel with one another, but with the rise of high-profile security breaches the two industries are being forced to work more in concert.
A new study by the SANS Institute and insurance research group Advisen seeks to bring both groups together. The survey, commissioned by PivotPoint Risk Analytics, polled 203 IT security professionals and 194 insurance industry executives.
SANS/Advisen’s report found that for starters, a terminology gap exists between information security professionals and insurance providers on the definition of simple terms such as “risk” and “data breach.”
According to the survey, only 38% of respondents involved in the decision to purchase cyber insurance believe there’s a common language of cyber risk between themselves and their insurance representative, and 55% say they lack a common language with which to communicate about cyber insurance.
Barbara Filkins, the SANS senior analyst who headed the study for SANS, says it’s much more difficult to quantify coverage in cyber insurance.
“In a fire, there is a beginning, middle and end, and it’s something people can see,” Filkins says. With a cyber incident, it may take several months after malware infiltrates a network before a company experiences any negative impact, then even once security pros remediate the attack, the threat may still be lurking.
David K. Bradford, co-founder and chief strategy officer at Advisen, says the survey was an attempt to bring both industries together.
“While no authoritative group has emerged, what we’ve found is that more CISOs are attending the technology track sessions at our insurance conferences and more insurance executives are attending some of the more technical trade shows,” he says. “I think realistically, that’s how it’s going to develop for now.”
Filkins, Bradford, and PivotPoint CEO Julian Waits each weighed in on how security pros and insurance executives can more closely work together. Here are three ways:
1. Bridge the communication gap. Keep in mind that the first cyber insurance policies were written as recently as the 1990s, so it’s a new field. Today there are 61 companies that offer cyber insurance, but nobody defines terms in quite the same way. For example, one policy may cover a company for a data breach, while the other will cover for a network security wrongful act. Both terms may or may not be the same thing, depending on the policy, it’s not always clear. The University of Cambridge in the United Kingdom has been working on developing common terminology for cyber insurance, but nothing has been released and it would mostly be recommendations, nothing binding.
Action item: CISOs must be more involved in helping define terms for cyber insurance as well as selecting policies, and large companies need to get the corporate risk managers involved as well. The study found the that while CISOs are involved in the cyber insurance process, 50% of decisions on cyber insurance were made by top management. But that may change as CISOs and other IT executives get more involved in the final decision-making process on cyber insurance.
2. Develop a baseline cyber insurance policy. The study found that the security investments made by companies do not always align with the criteria and priorities of underwriters. In fact, of the 26 policies examined by the University of Cambridge, no two polices had the same level of coverage. However, eight of the policies offered coverage for CEO fraud events, and the majority covered ransomware events.
Action item: CISOs need to consider the impact of their technology decisions on cyber insurance. Today, there’s no one single baseline standard for what a policy should contain. CISOs must work more closely to explain their requirements so the underwriters understand the impact of various security events.
3. Educate CISOs on the role of insurance. Only 14% of insurance brokers say that CISOs understand the value of insurance very well. And nearly 40% of the security pros surveyed by SANS say that they don’t understand the characteristics and limits of the company’s cyber insurance coverage.
Action item: Underwriters -- and especially brokers -- need to communicate effectively with CISOs on the role insurance plays following a cyber event. It’s here that brokers can be most effective. As the intermediaries between CISOs and the corporate risk managers on one side, and the underwriters on the insurance side, brokers can educate both sides on the needs of the other. Companies looking for cyber insurance should lean on the brokers because they have the expertise on what the different policies actually cover.