Quantify Risk to Reduce Premiums and More Cyber Insurance Advice for CISOs
Quantify cyber risk, reduce insurance premiums – that was the headline advice from a panel of insurance industry veterans gathered at the last FAIR Conference for a candid conversation on how CISOs and CFOs make the smartest investments to reduce loss exposure from cyber events – spend on cybersecurity or transfer risk to an insurer.
An insurable risk must have the prospect of accidental loss and for a loss to be covered, the policyholder must be able to demonstrate a definite proof of loss - If the extent of the loss cannot be calculated or cannot be fully identified, then it is not insured. Without this information, an insurance company can neither produce a reasonable benefit amount or premium cost -- thus the need for cyber risk quantification (CRQ).
2022 FAIR Conference Session: Cyber Insure or Self Insure?
Panel:
Moderator Arturo Perez-Reyes Strategist, SVP, Cyber and Technology, Newfront
Tom Srail, EVP Cyber Risk, Willis Tower Watson
Brandon Pinzon, SVP, Chief Security Officer, Argo Group Insurance
Mayur Patel, VP, Senior Cyber Underwriter, Munich Re
Watch the Session Video on Demand Now
A free FAIR Institute membership required to view. Join now.
Some highlights of this discussion on cyber liability insurance:
Quantify Before You Insure
Tom Srail: “Cyber risk quantification is very important to understand what different types of events might mean to your organization from a financial standpoint. For instance, what does a day of downtime in a business division mean for you...My opinion is, you start with the risk quantification before you even understand should we be insuring or not.”
Buying Cyber Insurance Coverage Is Not a Requirement – Having a Complete Picture of Your Cyber Risk and Financial Environment Is
Surprisingly, the panel agreed that insurance purchase – essentially to take risk off your balance sheet – is not mandatory but is multidimensional, depending on your threat landscape, controls environment, IT asset base, resiliency to attack, financial condition and other factors. All that argues for an always-on risk assessment capability.
Cyber Insurance Market Conditions Improving
According to the panel, we’ve been through what the insurance business calls a “hard market cycle” with insurance carriers pulling back on offerings and raising prices in the face of uncertainty over the risk landscape. Now, we are moving into a “soft market cycle.” So, shop around, particularly on price. Insider insight from Mayur Patel: “Nobody knows how to price cyber risk.”
There Is No Standard Cyber Insurance Policy. Better Read Yours
Not only are all cyber insurance policies different they are among the most complicated types of policies in the insurance world, the panel agreed. To make matters worse, “Nobody who buys insurance ever reads their policy,” said Arturo Perez-Reyes, and it may have exclusions you only find out about after you are in a cyber incident. “Some cyber insurance policies don’t allow you to pick the incident response vendors.” His advice in the event of a breach – call your broker before you act.
CISOs: For the Best Policy Pricing, Make a Presentation to Your Insurers
Panelists urged CISOs to be proactive in reaching out to their underwriters to explain their security program. “Come in and say, ‘this is my plan for the next two years,’” said Mayur Patel. “That shows me some sort of commitment to lowering exposure.” Tom Srail said “I think the marketplace is changing. I think insurers are looking for more real data or more control assessments and less reliance on 200-item questionnaires – do you have MFA, yes or no.” Brandon Pinzon suggested that CISOs and CFO’s “have an informed conversation” with insurers about cyber risk, that demonstrates they are on top of
-
Asset intelligence
-
Supporting structure for cyber risk management
-
Business context of IT systems
-
Financial context of the business.
