Assessing damage after a major cybersecurity breach is one of the most harrowing things a CIO or CISO can face. There is plenty of blame to go around but rarely enough people to accept it evenly. And when it comes to recouping money from cyber insurance claims, this blame game is further complicated by confusion.
A typical corporate cyber insurance discussion goes like this: The CEO or board chairman calls the CISO into the room and tells him that their insurers is going to pay out only 38 percent of a claim because "you didn't implement encryption on the affected applications."
The CISO says: "First, I didn't know we had cyber insurance. Second, the impacted apps are running our ATM machines and if we would have encrypted them you would have fired me because our customers wouldn't have been able to access them. I wish you would have talked to me before you implemented these policies."
Julian Waits Jr., CEO of PivotPoint Risk Analytics.
A CISO unaware that his own company had acquired an insurance policy to hedge against the cyber attacks he was hired to prevent sounds more like a plot line for an episode of the HBO series "Silicon Valley” than an actual business case. But such disconnect happens frequently in the wake of breaches, according to Julian Waits Jr., CEO of PivotPoint Risk Analytics. "Insurance is purchased in silos," Waits Jr. says. "The two things that you think would go hand in hand as you deal with financial risk transfer hardly ever talk to each other."
Ignorance, confusion creates coverage gaps
As a result, companies are often uncertain about what is and is not covered by their policies and are often insuring the wrong things at a time when claims can be rejected for inadequate cyber security testing procedures and audits, outdated patches, inadequate cyber incident response plan and inadequate backup and recovery processes.
Meanwhile, insurers create aggregate risk models that are more like one-size fits all policies that don't necessarily fit well with enterprise customers' particular needs. These pose major challenges at a time when PwC says global cyber insurance market could grow to $5 billion in annual premiums by 2018 and at least $7.5 billion by 2020.
For better insight into cyber insurance, Waits Jr. commissioned research with input from IT and insurers. Cyber insurance research Advisen polled 195 insurers and brokers and SANS Institute surveyed 203 information security and IT professionals for “Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey," a report written by SANS analyst Barbara Filkins.
Sign up for CIO Asia eNewsletters.