Cyber insurance has become a non-negotiable for many businesses, but rising costs and stricter requirements are reshaping the landscape. As liability risks grow and coverage tightens, businesses need to navigate complex policies, align coverage with actual risk, and make smarter decisions in an era of constant cyberthreats to make sure they acquire the best coverage possible.
We spoke to three industry leaders who explored the evolving landscape of cyber insurance, examining its necessity, strategic value, and the key factors that can influence coverage, costs, and resilience.
Bruce Jenkins, CISO, Back Duck:
High-profile cybersecurity incidents over the past decade, with SolarWinds an often-cited example, have increased liability risks for the cyber insurance industry. The obvious outcome: higher premiums and less coverage. Given these realities, how important is it to purchase cyber insurance? That question may be moot, as many business clients contractually require cyber coverage. Quite often, these clients have specific requirements around coverage categories and amounts.
If you are not contractually obligated to maintain cyber insurance, one of most critical question to be asked is this: Does the premium cost-avoidance offset the liability risk my business may take on if we suffer a cyber attack or breach?
Assuming that obtaining cyber coverage is the correct business risk-management decision, there are options to consider. The US Federal Trade Commission published a list of cyber insurance considerations that, while geared toward small businesses, can apply to any entity considering cyber liability coverage. Those considerations include:
- What coverage types are needed to counter potential threats to your business? For example, if you process personally identifiable information on behalf of your clients, consider data breach coverage.
- Do you require legal representation with subject-matter expertise in areas such as data privacy, international law, and forensics?
- Will you have obligations to provide identity theft protection or credit report monitoring for your clients?
- Are cyber incident legal fees covered?
One of the most important ways to convince an underwriter that issuing a cyber policy is an acceptable risk to them is that you are not satisfied with simply checking compliance boxes. ISO and SOC audits, for example, are important, but you should not stop there. Show your underwriting that you have the administrative and technical controls in place to continuously and methodically identify and evaluate cyber risks. Those efforts may pay off with more coverage and less-costly premiums.
Richard Seiersen, Chief Risk Technology Officer, Qualys:
Should CISOs consider risk transfer as a strategic lever in their battle to make the business resilient to plausible future loss? The answer is a resounding YES! Our job is to bring down the likelihood and impact of plausible future loss via the controls we put in place, whether that is through people, process or technology. The leftovers (residual risk) should be transferred away to cyber insurance.
It’s the CISOs job to inform whoever is acquiring insurance what that residual risk means in terms of plausible impact to the business. While they might make the purchase, they should be guided by your approach to security and the controls that you have in place, so that you have the most accurate view of risks that you are accounting for in place.
The most important factor is understanding what the business stands to lose. Specifically, what is the value at risk posed by the businesses use of technology? There might be specific points to cover, like what are the impacts around business disruption, regulatory data breach, or wire fraud based on social engineering. Based on those potential risks, what are the most plausible threats that might take advantage of those risks and how are you implementing controls regarding your value at risk?
Next, you have to comprehend the residual risk that is not controlled for. This is not an exact science, and it leads to the bigger problem – it is impossible for a middle manager in finance to comprehend residual security risk in isolation. Likewise, it is impossible for your cyber insurance broker to do this for you as well. They are almost equally poised to miss the forest for the trees. They will invariably buy a policy that is based on a vague benchmark as opposed to what your business stands to lose.
This is where you need to bring your subject matter expertise on security – and more specifically, your expertise around your business and how it creates value – to bear. Wrest control of this process back as you are the person who is actually accountable for protecting the business from cyber loss.
Justin Kuruvilla, Chief Cyber Security Strategist, Risk Ledger:
Cyber insurance is a useful tool to mitigate the financial impact of cyberattacks. Many of those questions about your security controls might only ask for “yes/no” answers. This creates a risk that your actual security posture may not be accurately reflected not only to the insurance managers, but also to internal stakeholders. Rather, we know the opposite is true: mature cyber risk management will likely result in favourable answers.
It is essential to provide as much context as possible to help underwriters gain confidence in your application, enabling them to offer more accurate terms and pricing. For instance, in managing supply chain risk, it’s well known that supply chain attacks remain a highly attractive vector for malicious actors. Mapping your supply chain and identifying concentration risks beyond your third parties – including 4th, 5th, and even nth parties – can help uncover previously unknown risk scenarios.
Additionally, collaborating with your peers can identify systemic risks that could impact an entire sector. Proactively addressing these risks not only enhances your operational resilience but also allows for a more informed discussion with underwriters. Demonstrating due diligence in this area can give underwriters the confidence to offer more favourable terms of coverage.
Share this article