At the recent 2022 FAIR Conference for practitioners of Factor Analysis of Information Risk, a panel of CISOs debated the proposition: Now that cyber risk quantification with FAIR accurately shows us the cost vs. benefit in risk reduction for our decisions on cybersecurity, do we really need to buy the blanket protection of cyber insurance?
Watch the video of the CISO discussion: Panel: Driving Culture Change - From a Compliance to a Risk-based Approach to Cybersecurity (FAIR Institute Contributing Membership required. Join now.)
It’s a more urgent question set against the current environment of skyrocketing premiums and narrowing coverage by insurers (see the decision by Lloyd’s of London to exclude losses from nation-state attacks).
“Now, with the FAIR standard, we can model specific scenarios and manage those risks in different ways. We can keep investing to add more controls and keep that risk down, or in some cases, move that bar up and get more transfer coverage with insurance.”
(For a detailed look at treat vs. transfer applying FAIR, see this case study from RiskLens comparing an upfront investment to paying years of insurance premiums.)
Mark Tomallo, CISO for Victoria’s Secret agreed that “with the risk analysis and cost-benefit analysis that’s taking place, more companies are having those conversations.” He thinks the insurance market is “already at a tipping point.”
“You see large organizations who have never filed a claim and their premiums increase 100% or 200% and they are really looking at: Should we just self-insure? Why don’t we just withhold 50% of that premium and be able to satisfy 50% to 75% of every incident response, maybe a large breach.”
Insurance industry claims practices are another barrier, she said. “There are a lot of hoops, a lot of protocol to be able to put your claims in, you have to use certain vendors [for forensic services, etc.] to even collect.”
“It could be worth the hassle of a self-invested program where I have more freedom to get the vendors necessary to help in that incident vs worrying about whether you are following all the right protocols.”
“Those are some really hard questions that we need to start seriously reflecting on,” she concluded.
Omar Khawaja, CISO at Highmark Health, though, had an explanation for persistence of cyber insurance: “It’s easy to understand [for senior management or boards]…If we have an incident that costs $14 million and we are protected for out of pocket $1 million and for that benefit we have to pay $500,000, now you’ve given them the whole explanation in dollar terms. Rarely have I seen working in large organizations that the best solution is adopted. It’s the solution that most people can understand that’s adopted.”
Omar made a call to action for the conference audience of CISOs and risk management executives: Call your insurance broker about the the increasing restrictions on cyber insurance coverage, such as Lloyd’s.
“Who’s to say if it was a nation-state attack or a 16 year old in their basement? It’s really hard to get that attribution right.” But if insurers aren’t going to pay out on those claims ”it renders a lot of cyber insurance kind of useless because so many cyber attacks originate from a country.”
“If enough of us go to the cyber insurance providers and say wait a minute, if you’re not going to cover this, we’re probably not going to renew next year. How do you think they will feel when they hear that message?”
See the entire video of the discussion on cyber insurance and more: Panel: Driving Culture Change - From a Compliance to a Risk-based Approach to Cybersecurity (FAIR Institute Contributing Membership required. Join now.)