A recent survey involving both InfoSec and the Insurance industry, conducted by PivotPoint Risk Analytics, SANS and Advisen, reveals that many gaps need to be filled for the cyber insurance market to reach maturity. The increasingly evolving industry is certainly an effective risk transfer vehicle for cyber vulnerabilities. However the survey notes that organizations continue to feel an “uncertain sense of protection.” The complex and technological nature of cyber insurance often leaves decision makers confused over what coverage to purchase. In fact, a key finding suggests that only 48 percent of CISOs and other information security professionals find cyber insurance “adequate” when recovering from a data breach. Additionally, only 30 percent of underwriters and 38 percent of InfoSec respondents believe they “speak the same language” when talking about cyber insurance policies. David K. Bradford, co-founder and chief strategy officer of Advisen Ltd said, “Senior executives are now insisting on cyber insurance protection. As a result many CISOs and other InfoSec professionals are interacting with underwriters for the first time. CISOs, and even the risk managers charged with buying insurance, often do not fully understand what is covered by their cyber insurance policies.” While cyber insurance is certainly becoming commonplace in organizations across all sectors, there are four cyber insurance gaps that must come together to reduce the risk of financial loss due to a cyber incident:
The Terminology Gap: InfoSec and insurance professionals acknowledge there is a communication barrier when “defining and quantifying risk, leading to different expectations, actions and justification for outcomes.” While InfoSec personnel think of risk in regards to threats and vulnerabilities, insurance providers think about reducing an organization’s risk in terms of financial loss from a cyber incident.
The Assessment/Framework Gap: Assessment frameworks provide standard actions, practices, plans, metrics and costs for minimal acceptable levels of cyber hygiene. They are used to “measure and benchmark defenses against other organizations and regulations.” However, InfoSec and the insurance industry disagree on the best frameworks and models – insurance personnel favor quantitative over qualitative models, while only 25 percent of InfoSec respondents prefer employing a detailed quantitative model.
The Communication Gap: A lack of a common lexicon among the cyber insurance industry and InfoSec creates a divide between InfoSec and insurance. There is also a divide “within organizations between the InfoSec professional and the Risk Manager and within the insurance community between the underwriters and brokers.” This creates a lack of understanding when decision makers evaluate, recommend and purchase cyber insurance coverage, often causing coverage to fall short of expectations.
The Investment Gap: “Organizations seeking cyber insurance should aim for alignment between their InfoSec investments and the underwriting criteria. The environment, however, is too dynamic: Underwriters are not always transparent in how they establish criteria, leading to consternation for both the brokers and the buyers. An organization needs to determine its return on investment as it prepares for cyber security insurance coverage.”