The Evolving Cybersecurity Insurance (and Assurance) Perspective

I recently participated as a panelist at a cyber-liability seminar with industry colleagues and partners. In attendance, there were nearly 150 professionals responsible in some manner for their company’s cybersecurity and/or insurance programs. Although many attendees had a firm grasp of cybersecurity and the challenges it presents, the resonating theme of the seminar as evidenced by the nature of their questions was, “What is the best way for us to holistically address all aspects of cyber security?”

Without a doubt, the cybersecurity insurance landscape is very confusing at the moment. 

• “Do we need it?”
• “What are the coverage pros and cons?”
• “Will a policy help my company during (and post) breach?”
• “Does my existing ‘general insurance’ cover such activities?”

There are many due diligence activities required in order to answer these questions and with the ever-evolving exposure scenarios (e.g. “zero” day threats) targeting companies, it raises the question, “How much insurance will be enough?”

Just as other insurance aspects of our personal and corporate lives have undergone many calibrations over time (due to legislation, public opinion, compliance, etc.); I suspect that the cybersecurity insurance framework will undergo a similar evolution.

However, one significant take away from the seminar was learning the important first step all companies should take – model their cyber assets and associated business processes to the most applicable security risk management framework appropriate for them and their industry. Whether it is ISO 27001 or NIST, the practice of objectivity while undertaking these programs will not only illuminate a company’s cybersecurity strengths and weaknesses (which, most likely will be a necessity to establishing cyber liability policy deductibles), but it will also prepare a company for the critical steps it must take throughout a breach experience.

As experts have said; it is no longer a question of “if” we will get breached, but, unfortunately, a matter of “when.” Rather than relying on evolving cyber “insurance” policies, take advantage of risk management processes for an overall “assurance” of your company’s ability to recover from a potentially, devastating business disruption.

http://guidepostsolutions.com/blog/the-evolving-cybersecurity-insurance/