Filkins identified four key gaps that organizations must close in order to effectively procure cyber insurance policies that suit their requirements:
- The Terminology Gap. Infosec and insurance professionals acknowledge that they do not share a common definition of the fundamental concept of “risk.” InfoSec personnel think in terms of threats and vulnerabilities — and eliminating these by creating defenses, policies and programs. Insurance providers think in terms of reducing an organization’s risk of financial loss from a cyber incident.
- The Assessment Gap. Assessment frameworks establish standard practices, metrics and costs for minimal levels of cyber hygiene and are used to measure and benchmark defenses against other organizations and regulations. But insurers favor quantitative over qualitative models, with only 25 percent of infosec respondents employing a detailed quantitative model.
- The Communication Gap. These above gaps have fostered a communication divide between infosec and insurers, as well as between the infosec professional and the risk manager and within the insurance community between the underwriters and brokers.
- The Investment Gap. A lack of transparency in underwriting criteria has resulted in misaligned investments by buyers seeking cyber insurance. InfoSec personnel may invest in the wrong things, thinking it will make them insurable; or the insurance they purchase is not aligned with their realized losses and claims are denied. To further complicate matters, there may be policy provisions and exclusions that require legal counsel to interpret. For example, P.F. Chang's recovered $1.7 million from its insurer for post-breach expenses and defense of a class action suit following a 2014 breach. But the company did not recover $1.9 million it shelled out to a credit card processor for a PCI DSS assessment.
CISOs must be part of cyber insurance procurement
Shawn Wiora says SANS' gap findings are consistent with his experience evaluating and purchasing cyber insurance policies. As CIO and CISO of nursing care facilities provider Creative Solutions in Healthcare, Wiora found many policies lacking when matched up against his own security model, which is based on the cyber framework established by the National Institute of Standards and Technology. He says that there is a tool or assessment matrix to help CISOs correlate their security postures with the policies they elect to purchase. Another challenge is that so few cyber insurance claims have been processed and made publicly available, which keeps businesses in the dark.
While cyber insurance is an issue that everybody wants to understand, no one wants to talk about it because discussing cyber risks makes people uncomfortable, says Wiora, who took steps to educate his entire C-suite about cyber risks and insurance. "There is a lot of confusion and it's such a young industry," Wiora says. "The insurers don't get it."
Sign up for CIO Asia eNewsletters.