The problem was less about which job function was behind the decision to buy cyber-insurance than how it was used should the day come to claim on it.
"For example, if the cyber insurance policy covers certain aspects of the risk, given the existing posture of existing systems - the CISO is better off spending additional funds in the security of new systems (not covered by the policy) rather than existing ones," he said
"Another example, if the costs of investigating a breach are covered by the policy than CISO should limit the funding of projects aimed at making this task more cost effective."
CEP said it believed that the forthcoming EU General Data Protection Regulation (GDPR), due to be finalised by the end of this year, would have some impact on interest in cyber-insurance not least because it is expected to mandate potentially large fines for breaches. However, that remained a long-term influence.
The UK Government has a stated policy of encouraging large and small firms to use cyber-insurance as a way of driving home security best practice.
Sign up for CIO Asia eNewsletters.