Cybersecurity Insurance: Safety at a Premium

Are your intangible assets protected? Here's how to choose the right cyberinsurance policy for your company.

The second area that insurers are looking at is the fundamentals of your businessthe size, revenue base, industry and management. In the current economic climate, it's worth noting that financial health is also a determining characteristic. "Financials are a good indicator of being able to safeguard your company," says O'Neill. "Less-than-stellar financials suggests that you don't have the capital to put into your electronic platform." All of that information becomes part of the underwriting process and, like a home inspection, the insurer and applicant will often negotiate about certain areas that need to be fixed in order to strike a deal. Once an applicant meets the qualifying level of security, it can go further and implement additional security measures that the audit recommends. And their premium will lower accordingly.

The process behind the pricing of the embryonic market for cyberinsurance is not all that different from the way other markets have developed. "I compare it with the way the environmental market built out," says Harrison Oellrich, a managing director of Guy Carpenter & Co. "The initial forms and exposures were very similar in that there was no data to underpin the rates. People began by putting a very restrictive policy form with very high pricing on the market; and over time, as they began to develop experience, they were able to broaden policy forms and modify the pricing significantly." Tips for the CSOGiven the uncertainty surrounding the pricing of cyberinsurance and the growing pressure on companies to seek such protection, the best thing a CSO can do is to judiciously examine each policy to determine how well it matches his company's needs. And forging a close relationship with the company's risk manager will be critical to that process. "Often, it's the first time they've even met one another, which is frightening," says Tracey Vispoli, assistant vice president and cyber solutions manager at The Chubb Group. "We're there to talk about risk, not technology. How much risk the organization wants to keep and how much it wants to transfer. When you put it on the business level of risk, everyone speaks the same language."

Here are some other things you can do.

Prioritize assets. Working together, the CSO and risk managers should develop an inventory of the company's technology risks and assets, prioritizing the assets that need to be recovered first and the points of failure that could result in widespread risk to the organization. "While CSOs tend to be experts in risk identification and mitigation, they have little experience with the alternatives for transferring the financial impact of losses from the balance sheetin other words, how can they hedge their bets," says Grange. "That's why a risk management model applies."