“It is becoming a mainstream assumption that insurance carriers can help organizations with cyber-risk management, both in the traditional risk transfer sense and in the broader sense that they can act as neutral arbiters of cybersecurity best practices,” said NSS Labs’ Andrew Braunberg, writing in an analyst brief. “This is readily demonstrated in the recent push by the White House to promote greater insurance carrier participation in the National Institute of Standards and Technology (NIST) effort to create a cybersecurity best practices framework for critical infrastructure providers.”
And indeed, movement in the public sector is bolstering cyber-insurance in other ways beyond the fact that insurance carriers are being pulled into the creation of the NIST cyber security framework. Also raising the insurance profile among security professionals is proposed reform of European Union (EU) data protection laws, which are expected to accelerate cybersecurity insurance adoption in Europe.
Braunberg recommends that enterprises should view cybersecurity insurance as an important component of their overall risk management strategy. “US-based public companies must understand and keep abreast of current SEC expectations for cyber-risk/incident disclosure and, just as importantly, current industry best practice for reporting,” he said. “Enterprises should better leverage information technology (IT) security teams when selecting cyber security insurance and when explaining risk profiles. And insurance carriers should more fully consider and assess the differences among security vendors and products, in particular the differences in overall security readiness that are achievable based on the specific products used for defense.”
A recent market survey from the Ponemon Institute put cyber security-insurance adoption at approximately one third of large US businesses. About 39% said that their organizations have plans to purchase a policy.
Ponemon also asked respondents to disclose which employees within their organizations make the decisions to purchase cyber insurance. Interestingly, chief information security officers (CISOs) and IT security personnel have little influence regarding choice of insurance carrier. Risk management teams are most likely to evaluate carriers and influence buying decisions. Other important influencers are business unit leaders, general counsels, and chief financial officers (CFOs).
“For those under the impression that the insurance carriers would add some much needed data rigor to the cyber security risk management markets, there is some bad news: they simply are not there yet,” Braunberg noted. “The truth is that carriers believe that technical controls account for a relatively small percentage of the overall security posture of an organization and that they can build risk models without a detailed understanding of the specifics of the technical controls in place within a particular customer.”