Cyber insurance is fascinating. And it\u2019s full of surprises, too.The interviews and research pulling together the Leading Security Change on Cyber Insurance series both changed my perspective and excited me. I learned that misconceptions abound. Partly due to the focus on \u201ccyber liability insurance\u201d and a misunderstanding of how the insurance industry works.Over the coming weeks, I\u2019ll share insights informed by experience from six different people, including risk managers, practitioners, and insurance carriers.We kick off the series with Jason Christopher (LinkedIn, @jdchristopher), the CTO of Axio. Jason has over a decade of experience as a critical infrastructure operator, federal regulator, national incident response coordinator, and researcher. In that time, he\u2019s led multi-million dollar security projects across both federal and private sector to improve cybersecurity programs for critical infrastructure companies.Jason also has remarkable experience and insights into the insurance marketplace. With an active role in shaping some of the new insurance products and markets due to the nature of some of the challenges he\u2019s helped solve, he\u2019s seen the benefit of insurance beyond cyber liability (which is more important than most realize\u2026 stay tuned for more in the series).We talked about some of the misconceptions about cyber insurance and the surprising benefits security leaders experience as they work through the process.What are the common misconceptions security leaders have about cyber insurance?Security leaders aren\u2019t convinced insurance is necessary for their organization from a cyber security perspective.\u00a0 They don\u2019t think of cyber insurance as a viable security control, they see it as more of a distraction from their day-to-day operations. They\u2019ve all heard the horror stories of insurance not paying out on claims or how the insurance wouldn\u2019t cover specific conditions-- so they write it off as a waste of time. \u201cWhy sit on a call for an hour with insurance companies and explain my risk to them?\u201d The absolute worst case is when the CISO sees insurance as an admission of guilt. There\u2019s a perverse logic that if a security professional does their job properly, they won\u2019t need insurance. Somehow that means if they buy insurance, they are failing somewhere in their technical program. This is not the case.Fortunately, over the past few years, both the insurance market and CISOs have matured in discussing cyber risk. The forward-leaning security professionals understand that insurance is just like any other security control-- it requires dedicating resources and a level of maturity. If you do not have basic protections in place, focus on those first. But if want to have a more sophisticated conversation about cyber risk management, then why are you focusing solely on mitigation and acceptance of risk? Risk transfer mechanisms, like insurance, provide a more complete picture of managing risks-- and it\u2019s the only control that will actually pay for an incident while it is happening. I do not know any CISO that keeps $250,000 in the bank for a rainy day to hire a forensic firm or cover legal fees to address a cyber incident. That\u2019s where insurance can help.If cyber insurance is a control, does that mean security leaders can tailor it to meet their needs?Absolutely. No one just installs an intrusion detection system without customizing rules and alerts. The same is true for insurance. Mature CISOs are starting to look at policies and informing companies as to what makes sense for their risk. Don\u2019t have sensitive customer data? Then why purchase a policy centered around privacy risk events? You need to tailor your insurance purchases just like any other control. If you have building management systems or industrial control systems, you should check to see if your policies will cover equipment damage due to cyber attacks. It\u2019s not easy, but once you understand your risk and what the policies cover, you can effectively transfer your risk to the insurance company. It\u2019s the only control I\u2019ve seen that will pay for a forensics team on-site at a company within 24 hours of an event. I haven\u2019t seen a firewall do that yet.Insurance covers every part of a business-- property and casualty, kidnap and ransom, employment practices-- and companies buy those based on their risks. If you live on the 40th floor of an apartment building in New York, you wouldn\u2019t buy flood insurance. But if you live in California, you wouldn\u2019t dream of going without earthquake insurance. The same is true for purchasing insurance as firm or business. You need to do what makes sense for your business and your operating environment. Ignoring cyber insurance completely would be like not buying flood insurance when you live on the bank of a river that overflows annually. If you\u2019ve never quantified your cyber risk, then you just won\u2019t know how bad that sort of damage can be.How important is our ability to quantify risk to get the right coverage?It\u2019s vitally important. As I mentioned earlier, insurance is like any control and needs to be tailored-- the first step there is to quantify your impacts due to a cyber incident to find out what kind of insurance you actually need.We work with clients to quantify their cyber risk based on their unique operating environments, threats, and impacts. If you never ask the question, \u201cHow much would a cyber attack cost me?\u201d then you\u2019re going to be stuck in the land of discussing risk as \u201chigh\/medium\/low.\u201d No other area of a business can operate like that. A CFO cannot go to their board and say, \u201cOur quarterly projections will be\u2026 yellow!\u201d We know yellow is better than red, but what does that mean? Why is cyber risk different?Quantifying cyber risk is not easy, but it is possible. It\u2019s like running a tabletop exercise, but instead of examining your incident response, a company can examine what the impact would be and tie it to known financial data. All that data exists-- costs of servers, workstations, employee overtime, legal fees, forensics firms, credit monitoring-- we know what those values look like. It\u2019s just a matter of tying those in with a model or simulation that is defensible.\u00a0What are the types of things we can cover using cyber insurance?Depending on your insurance products, you can find a lot of interesting coverage. Some of them are typical, like paying for data restoration and incident response teams. Others may be surprising, like covering the costs associated with regulatory fees or paying for ransomware demands. We\u2019re talking about a risk transfer mechanism-- but to transfer the risk, you need to first identify it and know how it would impact you. Transferring risk is not going to be the first response to quantifying potential cyber incidents. CISOs must still examine traditional mitigation techniques. Companies can then go to the insurance market with their information in hand and seek coverage.I should note that not all risks can be transferred. Cybersecurity controls must still be in place. You wouldn\u2019t stop buying fire insurance on your home if you had a sprinkler system installed, and vice versa. And not everything \u201ccovered\u201d is universal. Like any insurance product, there are triggers for events and processes companies need to follow in order to make a claim. Insurance companies, because they are accepting the risk on your behalf, become a partner for your company.What do security leaders need to do to make sure they are covered with a control that works for them?At the risk of sounding like a broken record-- identify and quantify your risks! Security leaders are great at identifying problems and optimizing technology solutions within their resource constraints. We have been trained our whole careers to do more with less and protect enterprises. Yet, for some odd reason, security leaders have been ignoring insurance, one of the oldest traditional tools used in safety, physical security, and catastrophic damage. Cybersecurity has analogies to each of those. And, in many companies, someone may already be buying cyber insurance. Or, worse yet, buying policies that aren\u2019t explicitly intended to cover a cyber event, but may respond to business impacts, like property insurance. Regardless, that person will not be a security professional and, therefore, will not necessarily understand the nuances of what a \u201ccyber attack\u201d means. Risk managers that purchase insurance will understand that different coverages are needed to respond to different impacts, but without the technical and financial information to address a cybersecurity incident, companies may be purchasing insurance products without the knowledge of how the insurance will work before, during, and after an incident.Purchasing insurance, just like buying any security appliance or tool, requires knowing your environment, the associated costs and impacts, and the company\u2019s appetite for risk. It is not a plug-and-play product, nor is it a \u201cset it and forget it\u201d capability. If security professionals are not involved with buying cyber insurance, then companies risk over spending, neglecting their risk management procedures, or\u2014worse yet\u2014not being covered during a cyber incident.