Three factors are certain to influence your cyber security program today: regulations, third-party partners, and cyber insurance. Increasingly stringent requirements, exclusions, and policy premium costs may appear as a trifecta of pain launched your way from insurers. But cyber insurance is really an opportunity.
Security leaders can wield cyber insurance not only as risk transfer but as an approach for maturing security program practices within your organization. Our recently published report, The State Of Cyber Insurance, 2023, highlights differences between organizations with standalone cyber insurance policies versus cyber coverage through an endorsement versus no coverage at all. Among the highlights, we found that organizations with cyber insurance experienced fewer breaches and had better outcomes with detection and response.
But wait, there’s more! There are additional ways for organizations and security leaders to benefit from cyber insurance because of how this ecosystem is evolving and growing. For example, there are providers like Coalition and Cowbell Cyber that combine security services with cyber insurance. Cysurance insures, warranties, and certifies security solutions that meet underwriter requirements. There is also adjacent innovation happening such as with Cork, which offers warranties to managed security services providers for small- and medium-sized businesses designed as gap coverage to complement a cyber insurance policy. Then there are the value-added services and expertise that insurance brokers and carriers offer to clients. For example, some may offer a virtual CISO (a vCISO) to scan findings and questionnaires and to prioritize security actions for smaller clients that don’t have a CISO; help with incident response planning; insurance experts available to answer questions (even those not related to a claim); a training and awareness portal for policyholders; and more.
There are many misconceptions about cyber insurance today. For example, one misconception is “you become a target if you have cyber insurance.” The truth is, you are a target regardless of whether you have it or not. Then there’s the notion of “we don’t need it; we’ll self-insure.” Some organizations may be able to take this approach. Others may think they can, and drastically underestimate the costs they may incur. For many companies, it may not be a choice to forego cyber insurance. If your business partners require you to have cyber insurance coverage as a condition of doing business together, you’re going to need it. Another common misconception is “it’s not worth it because insurers will look for ways to get out of paying a claim.” Cyber insurance is designed to be a way for firms to recoup some costs, but not all types of losses, sustained from a cyber event. It’s not meant to be a get out of jail free card. The type of cyber insurance coverage and the fine print of your policy matters when it comes to what is and what is not covered.
Cyber insurance will impact your decisions about the security technology and services in use. Insurance carriers will have requirements for cybersecurity controls and practices. They may also provide referrals to security technology and services providers. Your insurance broker is a key resource and guide for what to expect, and best position your organization to obtain cyber coverage.
To learn more from experts, register to attend Security & Risk Forum 2023 here.
This post was written by Principal Analyst Heidi Shey and it originally appeared here.
Read the full article here
