The cyber insurance market continues to evolve rapidly, resulting in organizations finding it difficult to adapt to the continuous changes in requirements and costs. As insurance requirements shift, effectively managing cyber insurance will require organizations to manage risk more proactively. To help organizations assess and adapt their cybersecurity insurance policies to the market, global IT research and advisory firm Info-Tech Research Group has published its new blueprint, Assess Your Cybersecurity Insurance Policy.
“Cyber insurance has helped some CISOs rest easier amid threats of ransomware and data breaches, yet many industry pros have sour feelings about this type of insurance. They often argue that the whole thing is a ‘money pit’ because insurers won’t really pay up,” says Logan Rohde, senior research analyst at Info-Tech Research Group. “However, this view is too simplistic. The novelty of cyber insurance means that things are not yet standardized, leading some insurers to hide behind vague policy language to avoid paying claims that would bankrupt them or set claim-paying precedents that might run them out of business in the future.“
CIO INFLUENCE: Datadog Releases Data Streams Monitoring to Assess Streaming Data Pipeline Performance
The newly published blueprint explains cyber insurance changes are meant to reduce the amount of risk taken on by insurance companies, often requiring changes on the part of the insured. The blueprint and research found within it show that the challenge with this approach is that some organizations may not know which controls to prioritize, and some are seeing prohibitively expensive premiums. Furthermore, alternatives to cyber insurance are not always apparent.
“In many cases, cybersecurity insurance problems arise because policyholders do not fully understand what their policy covers and excludes. Once again, policy language is the underlying issue,” explains Rohde. “Therefore, it is vital to have a legal team review any language that seems unclear, especially concerning key areas of coverage like ransomware, data breaches, or acts of war.”
According to Info-Tech’s research, it is best to seek input from all parts of the organization to determine potential impacts accurately. Reducing the exposed surface area may also reduce insurance premiums, as insurance companies often use third-party vulnerability scanning services. By reducing the attack surface, organizations can reduce the number of potential vulnerabilities discovered by these services. An insurance broker can also help navigate the cyber insurance market, especially when comparing policies between insurance companies.
CIO INFLUENCE: HTC Global Services and Azentio Software Confirm Strategic Partnership to Offer Next-Generation Digital BFSI Solutions
The firm recommends that policyholders understand the needs of their organization when it comes to risk management so they can plan an appropriate strategy. Some of the key considerations Info-Tech advises they should be aware of include:
- Risks and risk tolerance.
- The impacts of realized risk, cost of program maturation, and the benefits of having insurance in the event of an incident.
- Alternatives to cyber insurance.
The blueprint also explains the different areas that must be understood when it comes to cybersecurity insurance options, including:
- Types of coverage
- Data breach insurance, which protects organizations from costs and impacts related to a data breach
- Cyber liability insurance
- Parties involved
- First party, which protects the organization from direct impacts
- Third party, which offers protection from third-party claims
- Out-of-pocket costs
- Retention, which is a monetary amount that the organization must pay before the insurance company gets involved
- Deductible, where the insurance provides coverage from the beginning and will seek reimbursement for the deductible amount after the fact
Cyber insurance is only one possible risk treatment strategy that transfers risk to another entity. The research suggests that organizations can still reduce risk by mitigating or avoiding it and should work to improve their information security program, regardless of whether or not they intend to obtain cyber insurance.
CIO INFLUENCE: Exascend Launches Industrial-Grade SD and MicroSD Cards to Meet Growing IoT Edge Storage Demand
[To share your insights with us, please write to sghosh@martechseries.com]