What comes to mind when you read or hear the phrase \u201ccyber insurance?\u201dMost focus on the \u201cliability\u201d part of cyber insurance, the protection companies seek in the event of a security breach. Then they form opinions based on whether they view that coverage as a valuable tool to reduce risk or a copout instead of developing a security program.Here\u2019s the reality: cyber insurance is much, much broader than just liability coverage after a cyber incident. Security has an impact on everything, including insurance. And that\u2019s a good thing.In this continued Leading Security Change on Cyber Insurance series, we learn from an experienced insurance underwriter, Garin Pace.Garin Pace is the Cyber Product Leader \u2013 Financial Lines & Property for AIG. First and foremost, he\u2019s an insurance underwriter. His experience includes underwriting professional liability insurance for technology companies and cyber insurance for over a decade. And he\u2019s a technologist at heart. It\u2019s clear from our conversation that he\u2019s trying to merge the worlds of actuarial science, risk management, and insurance with information security.Our conversation was energetic and packed with information. Garin\u2019s passion shines through (as you\u2019ll read below) \u2013 and his knowledge of the industry really helped me get a better sense of how security leaders can partner with insurance carriers to improve security for everyone.Insurance is a valuable control to transfer risk, but you suggest cyber insurance is more. How so?Insurance can play a key role in offsetting costs when a breach happens. We can help companies by identifying and encouraging best practices through data analytics, and also help companies respond accordingly when cybersecurity fails. Once you do the basics, insurance can be the best risk reduction for the investment \u2013 insurance provides three other material benefits:\u00a0 1) risk assessment & validation, 2) loss prevention consulting, and 3) help managing the incident.There is a danger that insurers who are not underwriting appropriately might miss this opportunity, and somewhat reduce the value of insurance turning risk management into a crude hedge. When both the insurer and the applicant engage correctly, the underwriting process presents an opportunity for the applicant to get feedback from the insurer about the type of risk it sees. This information can be used to verify the applicant\u2019s own findings, and gain the benefits of the insurer\u2019s experience (with thousands of clients, many insurers will be able to share actionable information about what they\u2019re seeing in the marketplace).\u00a0\u00a0Even after identifying opportunities for better risk management, the benefits insurance can provide don\u2019t stop: many carriers provide services to clients to help them make better risks.\u00a0 With the economies of scale of some insurers, these \u201closs prevention services\u201d allow insureds access to subject matter expertise, sometimes top-tier vendors; other times services internal to the insurer.Finally, in the event of a loss, insurance is more than just a check: insurers\u2019 claims professionals handle dozens of such incidents per year, and can help guide insureds through the loss process, recommending counsel and other vendors, and alerting the insured to what to expect from litigation.What might security leaders be surprised to learn about the process to underwrite cyber security risk?I think security leaders would be surprised to learn how insurers treat the information they are presented during the underwriting process, and how that information does, and does not, affect claims. While there is some variation, most cyber insurers view the information presented to them \u2013 such as controls the applicant has \u2013 as representative of the applicant\u2019s posture, but not a promise there will never be a mistake in execution. Insurance is for mistakes; most cyber insurers will pay claims where a mistake was a key event in the chain of events which resulted in the loss, even if that mistake was in not executing on a control the insured said they had.For example, if an applicant tells the insurer they use full disk encryption on laptops, but one laptop \u2013 because of a unique set of circumstances \u2013 happens to not be encrypted and be the subject of a claim, most cyber insurers will pay the claim. That said, the information does have to be representative; if an applicant only encrypts laptops in one of their two business divisions, they are misrepresenting the risk if they tell the insurer they are \u201cencrypting all laptops\u201d.Seems a lot of people equate cyber insurance to breach liability. What other perils need to be considered?Cyber insurance is so much more than data breaches! Truthfully, even \u201ccyber\u201d is a poor moniker: most \u201ccyber insurance\u201d policies respond to a \u201cfailure to protect the confidentiality of information\u201d as well a \u201cfailure of security\u201d, and thus would respond even to a non-electronic breach, such as disposing of medical records in a dumpster. Beyond that, these policies cover a variety of impacts \u2013 failures of availability and integrity as well as confidentiality - from a variety of possible cyber perils:\u00a0 they respond to lost business (a possible outcome of a DoS attack), will pay to restore data from backups or even pay a ransom (ransomware), and are even starting to cover systems failures (not arising out cyber attacks).Increasingly - as the number of cyber-physical interfaces continues to grow - cyber insurance policies will need to evolve to cover bodily injury and real property damage arising out of a cyber peril. With systemic-cyber attacks, for example, we have to think about what happens if a cyber-criminal accesses operational controls of a refinery or a train? Disruptions to the flow and security of data can have cascading effects and negatively impact institutions that rely on such data. Today\u2019s cyber insurance policies do a good job of responding to the most common cyber attacks, but most exclude bodily injury and real property damage; a few cyber insurers like AIG are remedying that limitation, and traditional insurers are starting to amend their policies to address the need as well.Do insurance companies actually pay claims?Categorically yes! There is a stigma that insurers take in premium but don\u2019t pay claims; this is not a viable business strategy for insurers. Not paying a claim sends a strong signal to the marketplace, and that insurer will quickly find their business is impacted as insureds shift their business to other insurers. Insurance products that do not address a real exposure - or are priced unattractively - will not be purchased by insureds. You can see larger limits taking hold in the industry, and towers of coverage purchased by sophisticated companies. This would not be happening if industries thought insurers were not paying claims.Insurers of course fear changes in loss development. They write policies to provide certain coverages, and price them with certain expectations for loss. If the way the policies are written lead to ambiguity, or the way they are priced does not reflect the loss environment, then the insurer runs the risk of not only sacrificing their profits, but of sacrificing their capital. But overall, claims are a good thing; insurers just need to make sure their underwriting and pricing keeps up with claims activity.How can a security leader better approach the cyber insurance process in their organization?Companies have to evaluate their cyber risk management needs and understand how cyber coverage fits into their holistic enterprise and technology controls. I think security leaders and their organizations would benefit from security leaders being part of the decision to buy cyber insurance, not just a source of the information required.\u00a0 Security leaders should not see insurance premiums as a loss of budget for either people or technology, but instead as another security tool they are purchasing (though it works a bit differently). Like any tool, they should be sure to ask if the tool meets their needs (\u201cdoes it cover this scenario?\u201d), get training on its use (\u201cif we have an incident, how do we engage with the insurer; can we use the vendors we already have on retainer?\u201d), and how to get the most use out of it (\u201cwhat are our biggest risks? what could we do to reduce the premium\/increase the coverage?\u201d).If risk managers and security leaders engage together in the discussion of purchasing insurance, I think organizations will realize improved risk awareness and assessment, be more prepared should a significant cyber incident \u2013 one that requires action beyond just remediation, such as alerting customers and\/or regulators - occur, get more value from both their insurance and their information security program, and feel confident representing to management they\u2019ve taken reasonable steps to manage the exposure.