Cyber Insurance is a means, and most often a requirement, for organizations to reduce the risk of business impact and a way to mitigate losses if an incident/breach were to occur. The cyber insurance policy is not unlike personal automobile or home insurance, where the insured pays a premium each year for reimbursement and coverage of costs associated with an adverse event. You hope you never need it, but should you get into a car accident or have a flood at your home, you will certainly want external advice and financial assistance with limiting and remediating the damage. Like those traditional, personal insurance policies, corporate cyber security policies are priced based on the risk of the insured. In the corporate world, inherent risk is applied based on the reputation of the organization itself and industry in which it operates. Another major factor of cost is the perceived strength and capability of the security program and control effectiveness in preventing breaches, including an analysis of the leader and team.
The cost of cyber insurance policies is increasing while coverages are being limited due to the underwriting criteria becoming more rigorous. Despite the risk factors noted above, many insurers apply models that are generic and appear to be devoid of deep understanding of the organization’s operating model. Quick example - An organization that is mostly SaaS based, runs little of its own technology infrastructure, and has limited control over sensitive data is often priced similarly to organizations with large, on-premises environments and access/control of large stores of sensitive information. This would be the same as pricing automobile insurance for a driver who has never been in an accident, drives 4 times a year, and has a very inexpensive car to a repeat offender, who drives in rush hour traffic every day and sports a luxury SUV. Premiums, deductibles, and resulting caps and coverages need to be priced based on more effective risk analysis and potential financial loss to the business.
In this multipart series, we’ll discuss how organizations can reduce their risk factors of breach exposure and make credible and supporting evidence arguments to insurers for right-sized and fair insurance premiums.
To learn more about cyber insurance, click here.