Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Connect Directly

How To Bridge The Cyber Insurance Gap

CISOs and insurance executives must unite and create more defined terminology and expectations for cyber insurance.

The information security and insurance businesses traditionally have worked in parallel with one another, but with the rise of high-profile security breaches the two industries are being forced to work more in concert.

A new study by the SANS Institute and insurance research group Advisen seeks to bring both groups together. The survey, commissioned by PivotPoint Risk Analytics, polled 203 IT security professionals and 194 insurance industry executives.

SANS/Advisen’s report found that for starters, a terminology gap exists between information security professionals and insurance providers on the definition of simple terms such as “risk” and “data breach.”

According to the survey, only 38% of respondents involved in the decision to purchase cyber insurance believe there’s a common language of cyber risk between themselves and their insurance representative, and 55% say they lack a common language with which to communicate about cyber insurance.   

Barbara Filkins, the SANS senior analyst who headed the study for SANS, says it’s much more difficult to quantify coverage in cyber insurance.

“In a fire, there is a beginning, middle and end, and it’s something people can see,” Filkins says. With a cyber incident, it may take several months after malware infiltrates a network before a company experiences any negative impact, then even once security pros remediate the attack, the threat may still be lurking.

David K. Bradford, co-founder and chief strategy officer at Advisen, says the survey was an attempt to bring both industries together.

“While no authoritative group has emerged, what we’ve found is that more CISOs are attending the technology track sessions at our insurance conferences and more insurance executives are attending some of the more technical trade shows,” he says. “I think realistically, that’s how it’s going to develop for now.”

Filkins, Bradford, and PivotPoint CEO Julian Waits each weighed in on how security pros and insurance executives can more closely work together. Here are three ways:

1. Bridge the communication gap. Keep in mind that the first cyber insurance policies were written as recently as the 1990s, so it’s a new field. Today there are 61 companies that offer cyber insurance, but nobody defines terms in quite the same way. For example, one policy may cover a company for a data breach, while the other will cover for a network security wrongful act. Both terms may or may not be the same thing, depending on the policy, it’s not always clear. The University of Cambridge in the United Kingdom has been working on developing common terminology for cyber insurance, but nothing has been released and it would mostly be recommendations, nothing binding.

Action item: CISOs must be more involved in helping define terms for cyber insurance as well as selecting policies, and large companies need to get the corporate risk managers involved as well. The study found the that while CISOs are involved in the cyber insurance process, 50% of decisions on cyber insurance were made by top management. But that may change as CISOs and other IT executives get more involved in the final decision-making process on cyber insurance.

2. Develop a baseline cyber insurance policy. The study found that the security investments made by companies do not always align with the criteria and priorities of underwriters. In fact, of the 26 policies examined by the University of Cambridge, no two polices had the same level of coverage. However, eight of the policies offered coverage for CEO fraud events, and the majority covered ransomware events.


Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

Action item: CISOs need to consider the impact of their technology decisions on cyber insurance. Today, there’s no one single baseline standard for what a policy should contain. CISOs must work more closely to explain their requirements so the underwriters understand the impact of various security events.   

3. Educate CISOs on the role of insurance. Only 14% of insurance brokers say that CISOs understand the value of insurance very well. And nearly 40% of the security pros surveyed by SANS say that they don’t understand the characteristics and limits of the company’s cyber insurance coverage.     

Action item: Underwriters -- and especially brokers -- need to communicate effectively with CISOs on the role insurance plays following a cyber event. It’s here that brokers can be most effective. As the intermediaries between CISOs and the corporate risk managers on one side, and the underwriters on the insurance side, brokers can educate both sides on the needs of the other. Companies looking for cyber insurance should lean on the brokers because they have the expertise on what the different policies actually cover.  

Related Content:

Steve Zurier has more than 30 years of journalism and publishing experience and has covered networking, security, and IT as a writer and editor since 1992. Steve is based in Columbia, Md. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
9/1/2016 | 10:16:22 PM
The gap needs to be bridged indeed
Great article, and study, relating to one of the biggest impediments in allowing the insurance industry to achieve it's risk engineering potential for cyber.  Bridging the gap and fostering a collaborative relationship between insurers and CISOs can help the insurance industry do for cyber risk what it did for maritime and property risk.   
User Rank: Apprentice
7/18/2016 | 7:39:51 AM
Great post.Thanks for sharing it with us.
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-24
IBM MQ 9.1 LTS, 9.2 LTS, and 9.1 CD AMQP Channels could allow an authenticated user to cause a denial of service due to an issue processing messages. IBM X-Force ID: 191747.
PUBLISHED: 2021-02-24
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
PUBLISHED: 2021-02-24
Apache XmlGraphics Commons 2.4 is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
PUBLISHED: 2021-02-24
OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in...
PUBLISHED: 2021-02-24
BB-ESWGP506-2SFP-T versions 1.01.09 and prior is vulnerable due to the use of hard-coded credentials, which may allow an attacker to gain unauthorized access and permit the execution of arbitrary code on the BB-ESWGP506-2SFP-T (versions 1.01.01 and prior).