Cyber Insurance Musings - Part One

By Bryan Kissinger, PhD | VP and CISO, Trace3 Security Solutions

Cyber Insurance is a means, and most often a requirement, for organizations to reduce the risk of business impact and a way to mitigate losses if an incident/breach were to occur. The cyber insurance policy is not unlike personal automobile or home insurance, where the insured pays a premium each year for reimbursement and coverage of costs associated with an adverse event. You hope you never need it, but should you get into a car accident or have a flood at your home, you will certainly want external advice and financial assistance with limiting and remediating the damage. Like those traditional, personal insurance policies, corporate cyber security policies are priced based on the risk of the insured. In the corporate world, inherent risk is applied based on the reputation of the organization itself and industry in which it operates. Another major factor of cost is the perceived strength and capability of the security program and control effectiveness in preventing breaches, including an analysis of the leader and team.

The cost of cyber insurance policies is increasing while coverages are being limited due to the underwriting criteria becoming more rigorous. Despite the risk factors noted above, many insurers apply models that are generic and appear to be devoid of deep understanding of the organization’s operating model. Quick example - An organization that is mostly SaaS based, runs little of its own technology infrastructure, and has limited control over sensitive data is often priced similarly to organizations with large, on-premises environments and access/control of large stores of sensitive information. This would be the same as pricing automobile insurance for a driver who has never been in an accident, drives 4 times a year, and has a very inexpensive car to a repeat offender, who drives in rush hour traffic every day and sports a luxury SUV. Premiums, deductibles, and resulting caps and coverages need to be priced based on more effective risk analysis and potential financial loss to the business.

In this multipart series, we’ll discuss how organizations can reduce their risk factors of breach exposure and make credible and supporting evidence arguments to insurers for right-sized and fair insurance premiums.

To learn more about cyber insurance, click here.

Bryan Kissinger, PhD. is an information security product and services leader focused on delivering technology-enabled solutions for complex business environments. Kissinger leads a team of professional security advisors focused on solving complex client security challenges, as well as managing Trace3’s internal security program. He’s a published author and public speaker known as an emerging technology advocate and designer of right-sized corporate IT and security programs.
Back to Blog