{"id":517,"date":"2024-10-08T06:00:00","date_gmt":"2024-10-08T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=517"},"modified":"2024-10-08T06:00:00","modified_gmt":"2024-10-08T06:00:00","slug":"how-the-increasing-demand-for-cyber-insurance-is-changing-the-role-of-the-ciso","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=517","title":{"rendered":"How the increasing demand for cyber insurance is changing the role of the CISO"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Demand for cyber insurance<\/a> is up, and market observers expect the number of standalone cyber insurance policies will continue to rise. German multinational insurance company Munich Re has valued the global cyber insurance market<\/a> at $14 billion in 2023 and estimated that it will hit $20 billion-plus in 2025 and exceed $29 billion in 2027.<\/p>\n

The rise of standalone cyber insurance, something that has been years in the making, is putting new responsibilities on CISOs as security officers are being asked to evaluate cyber risk and quantify it as part of the insurance selection process.<\/p>\n

They\u2019re being asked to help determine the appropriate levels of coverage based on that evaluation and quantification and they\u2019re having to demonstrate to carriers that their organizations do indeed have specific controls in place that show they\u2019re a good bet for coverage.<\/p>\n

\u201cThe CISO should have a voice in determining the need for coverage by assessing the potential impact of an incident on the business and working hand in hand with others in the organization to understand the impact from a monetary perspective,\u201d says Rex Booth, CISO of SailPoint, maker of identity and access management systems.<\/p>\n

Increasing threats and the evolution of the cyber insurance policy<\/h2>\n

The Insurance Information Institute cites two main drivers<\/a> of the rise in standalone cyber insurance: \u201cthe ubiquitous threat of data breaches and cyberattacks [and the fact that] insurers have made strides in clarifying policy coverage and exclusions, improving risk managers\u2019 understanding of product value and helping insurers better manage costs and rate stability.\u201d<\/p>\n

Another driver is the fact that many organizations now require their business partners to have standalone cyber insurance, says Forrester Research principal analyst Heidi Shey.<\/p>\n

\u201cIt\u2019s often a condition of doing business today,\u201d Shey says. \u201cThe insurance policy is almost like a proxy for readiness, response and resilience in some ways, because companies need to meet a certain level [of security controls] to qualify for a good policy.\u201d<\/p>\n

There is, too, the fact that in this digital era business risk and cyber risk are now one in the same. \u201cEveryone is all interconnected, so much is digital and online, so business risk is cyber risk,\u201d she adds. \u201cAnd insurance is a means of risk transfer.\u201d<\/p>\n

CISOs are best positioned to deal with insurance brokers<\/h2>\n

Despite CISOs overseeing cybersecurity and the controls meant to blunt cyber risk, they have not historically been the executives who decide whether their organization buys cyber insurance. Instead, CFOs or chief risk officers typically make the call and determine what levels of protection to buy.<\/p>\n

However, CISOs are taking on larger roles \u2014 as they should \u2014 in those discussions and the decision-making process because they\u2019re well-positioned to understand the threat landscape, the types of threats that could impact them, and how each one could impact the organization, says Paul Caron, Head of Cybersecurity, Americas at S-RM, a global corporate intelligence and cyber security consultancy.<\/p>\n

Generally speaking, CISOs are also best positioned to share the organization\u2019s cybersecurity strategy and details of its security controls with insurance brokers or carriers, Caron says. \u201cCISOs are the ones who can best tell their story.\u201d<\/p>\n

And CISOs are best positioned to review the resources that a selected insurance company would possess to respond to an event and whether those resources would be the best choices. \u201cCISOs should be part of the process to say who they want to bring to the fight,\u201d Caron says. \u201cThey should be involved so they can understand how the insurance company would support them in an actual incident so they can get have a frictionless response.\u201d<\/p>\n

Cyber insurance coverage still varies between organizations<\/h2>\n

Most organizations do not yet have a standalone cyber insurance policy but instead rely on cyber coverage as part of other insurance products. Research further shows varying levels of coverage.<\/p>\n

The State of Cybersecurity 2024 survey report from ISACA<\/a>, an international professional association focused on IT governance, found that<\/p>\n

10% of respondents said their enterprise has first-party cyber insurance, which generally covers the costs associated with investigating and responding to cyber events as well as the financial impact on business operations;<\/p>\n

16% reported that their enterprise has only third-party cyber liability insurance, which addresses financial indemnity to the enterprise for claims of damages resulting from a cyber event;<\/p>\n

15% indicated that their enterprise has first-party and third-party cyber insurance; and<\/p>\n

14% said their enterprises did not carry cyber insurance.<\/p>\n

Just as telling, perhaps, is the fact that almost half of the survey respondents did not know what kind of cyber insurance their enterprise carries.<\/p>\n

Meanwhile, Forrester\u2019s 2023 Security Survey found that 83% of enterprise security technology decision-makers had cyber insurance coverage.<\/p>\n

However, as Forrester delved deeper into the coverage, it found that only 26% of enterprise respondents reported having a standalone cyber insurance policy. Another 32% had cyber coverage through an endorsement on another business insurance policy, and 25% had cyber coverage included within another business insurance policy.<\/p>\n

Standalone cyber insurance policies remain the gold standard<\/h2>\n

Shey calls standalone cyber insurance policies (policies specifically designed to address cyber risks, which organizations purchase for this purpose) \u201cthe gold standard. Often when there is a suit, when a claim is denied, it typically involves a more general insurance policy, which has more ambiguous coverage.\u201d<\/p>\n

Of course, the coverage offered by standalone policies varies, Shey notes, but it typically covers costs associated with business interruption, incident responses, forensics, and other standard services arising from a cyber event. Some also cover the costs of ransom payments and negotiator fees.<\/p>\n

Still, Shey says coverage \u201ccan be very carrier- and country\/region-specific, and a lot can be negotiated.\u201d<\/p>\n

The insurance market has seen several years of volatility, says Andy Moss, a partner in the Insurance Recovery Group in the Litigation Department at law firm Reed Smith. A spike in cyber events in the late 2010s set off a wave of claims, which was followed by pandemic disruptions and headline-making ransomware attacks. As a result, prices for cyber insurance surged and insurers implemented more restrictive policies, Moss says.<\/p>\n

That has turned around in 2024. \u201cWhat I\u2019m seeing is more and more companies coming into the fold and buying cyber insurance,\u201d Moss says, \u201cand those who have insurance are able to maintain their current levels of protection or improve them.\u201d<\/p>\n

CISOs say the threat landscape remains the biggest insurance driver<\/h2>\n

Although the more attractive terms of insurance products are welcome, CISOs themselves say the cyber environment remains the leading reason why their organizations are exploring cyber insurance.<\/p>\n

Nick Kathmann, CISO of LogicGate, a risk management and compliance solution provider, cites the threat landscape and the high costs of responding to incidents as the big motivators today.<\/p>\n

He also cites as a key reason for the surge in interest the fact that many more companies now require business partners to have cyber insurance, and he notes that investors, too, are making such demands.<\/p>\n

Kathmann says a rise in security maturity among small and mid-size organizations is further fueling interest in and purchase of cyber insurance.<\/p>\n

\u201cMore people are realizing that they\u2019re a target, even if they\u2019re a small organization. They\u2019re seeing the high costs of responses, and they\u2019re seeing that those costs get astronomically high very fast,\u201d he adds.<\/p>\n

(The average data breach in 2024 cost for organizations was $4.88 million, up 10% over the 2023 average cost, according to IBM\u2019s Annual Data Breach Report<\/a>.)<\/p>\n

Kathmann adds: \u201cA very large organization with a lot of cash on hand and cash reserves can self-insure. But for anybody that doesn\u2019t have that money, insurance is becoming a requirement very quickly especially, if you want to sell B2B.\u201d<\/p>\n

To reduce risk, CISOs need to be an integral part of the insurance process<\/h2>\n

Sarb Sembhi, a member of the Emerging Trends Working Group at the governance association ISACA and CTO of Virtually Informed Limited, advises CISOs to work as part of a team that includes operations, finance, legal, risk, IT, human resources and communications \u2014 as they all have roles in responding to an actual cyber incident.<\/p>\n

\u201cIf you want to understand the risk and your [required insurance coverage], then get your team together, just as you would when you\u2019re dealing with regulations and compliance, and look at the changing risks and threats, your response plans and determine your policy requirements,\u201d Sembhi says.<\/p>\n

Caron says he has seen the consequences of excluding CISOs from insurance discussions and decisions, pointing to one cyber incident response he had worked as an illustrative example. The insurance company had its own list of response resources and limited what it would pay to resources that weren\u2019t on that list.<\/p>\n

The CISO had his existing partners, but those partners weren\u2019t on the insurance company\u2019s list and would cost significantly more than the policy would pay. Hashing out the response team and who would pay what took nearly nine hours, significantly delaying response.<\/p>\n

Despite such examples, Robert Booker, a former CISO now serving as chief strategy officer at HITRUST, which provides enterprise risk management, information security, and compliance assurances, say CISOs and their security programs may get a boost from the pursuit and purchase of cyber insurance, as insurers want proof of certain security controls in place and may require the addition of certain policies and procedures to improve resiliency.<\/p>\n

\u201cInsurance companies have a rigorous process to validate that the controls companies say they have and are actually there and in effect,\u201d he says. Moreover, he notes that some insurers offer services, such as assistance with tabletop exercises, that can strengthen an insured\u2019s security posture.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Demand for cyber insurance is up, and market observers expect the number of standalone cyber insurance policies will continue to rise. German multinational insurance company Munich Re has valued the global cyber insurance market at $14 billion in 2023 and estimated that it will hit $20 billion-plus in 2025 and exceed $29 billion in 2027. […]<\/p>\n","protected":false},"author":0,"featured_media":514,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-517","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/517"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=517"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/517\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/514"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=517"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=517"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=517"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}