Cyber Insurance – a necessary evil or not?

Insurance policies of all kinds provide us with assurance when the stakes are high. But with cyber insurance being the latest policy to arrive on the market, is it a worthwhile expense? And do CISOs have a choice to buy it or not?  

Cyber insurance is rising in its adoption but it’s a topic of much debate among CISOs who see high costs, restrictive ability to claim, and long surveys they need to complete to be quoted. Counter to that pain is the rise in clients demanding this level of cover from their suppliers, and boards seeking a policy to manage their risk and exposure.

Here’s what the ClubCISO Maturity Security Report shows

From surveying our members, we know that 70% of us have cyber insurance, but do we know what we’re covered for? And could that premium be better spent on improving security maturity across our organisations?

The topic of cyber insurance always provokes much debate and during discussions with our members, it became clear that this wasn’t always a CISO-driven decision. One ClubCISO member noted that the main reason for their organisation taking out cyber insurance was to pay for any fines in the event of a breach – implying this was a legal decision rather than an IT or business-driven.

So why might boards be keen on adopting a cyber insurance policy? A 2020 survey by insurance provider Zurich North America¹ found that the top 6 drivers for taking our cyber insurance were business interruption (72%), system failure (70%), funds transfer fraud (66%), and social engineering (66%) and reputational harm (60%).

However, it’s becoming more and more challenging for organisations to meet the minimum criteria needed to be covered. 6% of surveyed ClubCISO members stated that they wanted cyber insurance, but they didn’t meet the criteria, whilst 16% said they didn’t want it and didn’t believe in its benefits. For organisations that aren’t contractually obliged to do so, are there higher spending priorities that can increase cyber resilience?

Premium insurance – what does it really cover? 

As the cyber security landscape continues to evolve and risks grow, so too are premiums. Some members described rising premiums but shrinking coverage. Meaning their scope of the cover was being reduced to reflect a risk-averse security insurance policy.

Furthermore, insurers are asking increasingly probing questions about company cyber security set-ups and culture before agreeing to provide a policy.

It’s worth bearing in mind that you can work with your insurance provider/broker regarding the degree of detail you give them. You’re disclosing sensitive or confidential information about your business, meaning the insurer holds the policy details of many companies – making them potential targets for cyberattacks. It’s worth considering just how much information you want to volunteer vs what level of risk you’d be undertaking. Our members discussed that having cyber insurance on a central register might also make organisations a target for cyber criminals.

The view of many organisations agreed that ensuring that basic cyber security controls are in place cannot be a bad thing as typically is what insurers will assess you against, and more organisations could consider the criteria and use this as a starter for ten when implementing good security practice.

ClubCISOs top tips for getting the most out of your cyber insurance policy

Below are some top tips from our members based on their experiences. Please take these as guidance and advice rather than law.

1. Cyber insurance is an opportunity to engage with the business on a business issue. This will allow CISOs to move the conversation away from just technology and into the business. This can reinforce to the business some of the steps that your team are taking.
2. Review your prospective insurer’s claims record. Have other companies that have been the victim of breaches claimed successfully against their cyber insurance? And is a claim a more complex process or less likely to be paid out if the breach has been caused by human error?
3. Strike the right balance. Some insurers are more likely to cover you more thoroughly if they understand your processes and found that you have fewer weaknesses in your organisation.
4. Ask what kind of cover you want from your cyber insurance policy to avoid paying over the odds for something you may never actually use. It’s likely that you will encounter contractual obligations that require you to have cyber insurance at some point, but that contract might be ambiguous about the scope of cover needed – so is a tick-box approach enough? And if that’s so, could you be better off spending your money on cybersecurity controls and aligning internal policies, and industry best practice. This may mean additional investment to maintain operational, and cyber resilience (security policies and standards).
5. Agree with the business upfront what the tolerance is so that everyone understands what the playbook is and when you should call upon the policy. This will help put a value on the policy before you take it out. Only 7% of our ClubCISO members surveyed had claimed on their insurance, with 5% saying they had claimed but were dissatisfied with their renewal price. Statistics such as this could be useful when discussing the pros and cons of taking out a policy with your senior business and operational stakeholders.
6. If you’re looking for a quick route to an insurance quote, ask your prospective provider if you can supply them with a recent security assessment report rather than completing their lengthy questionnaire – discuss this with your insurance broker as some insurers have specific requirements.
7. And finally, for those CISOs looking to renew their policy but face ever-rising policy charges, check what you’re covered for and do a market comparison if your costs go up. ClubCISO members referenced repeated occasions where premiums rose, but coverage fell.
8. Lastly, agree operational, and cyber resilience with business stakeholders to ensure all are aware of the level of resilience, and potential business disruption services can sustain either operationally, loss of revenue, customer services, and market impact.

Cyber insurance is a controversial and complicated issue. It is worth discussing with qualified experts and considering all the associated pros and cons before committing your company to a particular path. That said, the industry seems to be erring on the side of caution: demand for cyber insurance remains high. The percentage of first-time cyber insurance buyers has almost doubled in five years, from 26% in 2016 to 50% by the end of 2021². Make sure your business clearly understands the value and cost of cyber insurance.

 

If you would like to know more about the ClubCISO Information Security Maturity Report, you can access a copy here: https://www.clubciso.org/clubciso-security-maturity-report-2022-full-results/

Author: Stephen Khan is Group Chief Information Security Officer at Hargreaves Lansdown and chair of ClubCISO.

 

 

 

References:

[1] https://www.zurichna.com/knowledge/articles/2020/10/tenth-annual-advisen-information-security-and-cyber-risk-management-survey

^[2] https://www.marsh.com/us/services/international-placement-services/insights/global_insurance_market_index.html