What security leaders are surprised to learn about cyber insurance

Cyber insurance is fascinating. And it’s full of surprises, too.

The interviews and research pulling together the Leading Security Change on Cyber Insurance series both changed my perspective and excited me. I learned that misconceptions abound. Partly due to the focus on “cyber liability insurance” and a misunderstanding of how the insurance industry works.

Over the coming weeks, I’ll share insights informed by experience from six different people, including risk managers, practitioners, and insurance carriers.

We kick off the series with Jason Christopher (LinkedIn, @jdchristopher), the CTO of Axio. Jason has over a decade of experience as a critical infrastructure operator, federal regulator, national incident response coordinator, and researcher. In that time, he’s led multi-million dollar security projects across both federal and private sector to improve cybersecurity programs for critical infrastructure companies.

Jason also has remarkable experience and insights into the insurance marketplace. With an active role in shaping some of the new insurance products and markets due to the nature of some of the challenges he’s helped solve, he’s seen the benefit of insurance beyond cyber liability (which is more important than most realize… stay tuned for more in the series).

We talked about some of the misconceptions about cyber insurance and the surprising benefits security leaders experience as they work through the process.

What are the common misconceptions security leaders have about cyber insurance?

Security leaders aren’t convinced insurance is necessary for their organization from a cyber security perspective.  They don’t think of cyber insurance as a viable security control, they see it as more of a distraction from their day-to-day operations. They’ve all heard the horror stories of insurance not paying out on claims or how the insurance wouldn’t cover specific conditions– so they write it off as a waste of time. “Why sit on a call for an hour with insurance companies and explain my risk to them?” The absolute worst case is when the CISO sees insurance as an admission of guilt. There’s a perverse logic that if a security professional does their job properly, they won’t need insurance. Somehow that means if they buy insurance, they are failing somewhere in their technical program. This is not the case.

Fortunately, over the past few years, both the insurance market and CISOs have matured in discussing cyber risk. The forward-leaning security professionals understand that insurance is just like any other security control– it requires dedicating resources and a level of maturity. If you do not have basic protections in place, focus on those first. But if want to have a more sophisticated conversation about cyber risk management, then why are you focusing solely on mitigation and acceptance of risk? Risk transfer mechanisms, like insurance, provide a more complete picture of managing risks– and it’s the only control that will actually pay for an incident while it is happening. I do not know any CISO that keeps $250,000 in the bank for a rainy day to hire a forensic firm or cover legal fees to address a cyber incident. That’s where insurance can help.

If cyber insurance is a control, does that mean security leaders can tailor it to meet their needs?

Absolutely. No one just installs an intrusion detection system without customizing rules and alerts. The same is true for insurance. Mature CISOs are starting to look at policies and informing companies as to what makes sense for their risk. Don’t have sensitive customer data? Then why purchase a policy centered around privacy risk events? You need to tailor your insurance purchases just like any other control. If you have building management systems or industrial control systems, you should check to see if your policies will cover equipment damage due to cyber attacks. It’s not easy, but once you understand your risk and what the policies cover, you can effectively transfer your risk to the insurance company. It’s the only control I’ve seen that will pay for a forensics team on-site at a company within 24 hours of an event. I haven’t seen a firewall do that yet.

Insurance covers every part of a business– property and casualty, kidnap and ransom, employment practices– and companies buy those based on their risks. If you live on the 40th floor of an apartment building in New York, you wouldn’t buy flood insurance. But if you live in California, you wouldn’t dream of going without earthquake insurance. The same is true for purchasing insurance as firm or business. You need to do what makes sense for your business and your operating environment. Ignoring cyber insurance completely would be like not buying flood insurance when you live on the bank of a river that overflows annually. If you’ve never quantified your cyber risk, then you just won’t know how bad that sort of damage can be.

How important is our ability to quantify risk to get the right coverage?

It’s vitally important. As I mentioned earlier, insurance is like any control and needs to be tailored– the first step there is to quantify your impacts due to a cyber incident to find out what kind of insurance you actually need.

We work with clients to quantify their cyber risk based on their unique operating environments, threats, and impacts. If you never ask the question, “How much would a cyber attack cost me?” then you’re going to be stuck in the land of discussing risk as “high/medium/low.” No other area of a business can operate like that. A CFO cannot go to their board and say, “Our quarterly projections will be… yellow!” We know yellow is better than red, but what does that mean? Why is cyber risk different?

Quantifying cyber risk is not easy, but it is possible. It’s like running a tabletop exercise, but instead of examining your incident response, a company can examine what the impact would be and tie it to known financial data. All that data exists– costs of servers, workstations, employee overtime, legal fees, forensics firms, credit monitoring– we know what those values look like. It’s just a matter of tying those in with a model or simulation that is defensible. 

What are the types of things we can cover using cyber insurance?

Depending on your insurance products, you can find a lot of interesting coverage. Some of them are typical, like paying for data restoration and incident response teams. Others may be surprising, like covering the costs associated with regulatory fees or paying for ransomware demands. We’re talking about a risk transfer mechanism– but to transfer the risk, you need to first identify it and know how it would impact you. Transferring risk is not going to be the first response to quantifying potential cyber incidents. CISOs must still examine traditional mitigation techniques. Companies can then go to the insurance market with their information in hand and seek coverage.

I should note that not all risks can be transferred. Cybersecurity controls must still be in place. You wouldn’t stop buying fire insurance on your home if you had a sprinkler system installed, and vice versa. And not everything “covered” is universal. Like any insurance product, there are triggers for events and processes companies need to follow in order to make a claim. Insurance companies, because they are accepting the risk on your behalf, become a partner for your company.

What do security leaders need to do to make sure they are covered with a control that works for them?

At the risk of sounding like a broken record– identify and quantify your risks! Security leaders are great at identifying problems and optimizing technology solutions within their resource constraints. We have been trained our whole careers to do more with less and protect enterprises. Yet, for some odd reason, security leaders have been ignoring insurance, one of the oldest traditional tools used in safety, physical security, and catastrophic damage. Cybersecurity has analogies to each of those. And, in many companies, someone may already be buying cyber insurance. Or, worse yet, buying policies that aren’t explicitly intended to cover a cyber event, but may respond to business impacts, like property insurance. Regardless, that person will not be a security professional and, therefore, will not necessarily understand the nuances of what a “cyber attack” means. Risk managers that purchase insurance will understand that different coverages are needed to respond to different impacts, but without the technical and financial information to address a cybersecurity incident, companies may be purchasing insurance products without the knowledge of how the insurance will work before, during, and after an incident.

Purchasing insurance, just like buying any security appliance or tool, requires knowing your environment, the associated costs and impacts, and the company’s appetite for risk. It is not a plug-and-play product, nor is it a “set it and forget it” capability. If security professionals are not involved with buying cyber insurance, then companies risk over spending, neglecting their risk management procedures, or—worse yet—not being covered during a cyber incident.