Friday, December 29, 2023

Why CISOs & Cyber Insurance Carriers Need To Bridge Their Differences In 2024

 


Well, here we are in the last full weekend of 2023.  The Social Media platforms abound on what is going to happen in 2024.  Well, as for Cyber, the pundits have already started to make their claims.   But one area that has been overlooked by them and will continue to be a very hot button topic going into next year will be that of Cybersecurity Insurance.

This is something I have written about extensively before, and heck, I have even written an entire book about it.  People think that getting a Cyber Insurance Policy is the same thing as getting medical or car insurance.  Unfortunately, it is not as cookie cutter as that.  There are a lot of variables that are at play here, which are both quantitative and qualitative in nature.

Probably the one of the biggest reasons fo this is that Cyber Insurance is still a relatively new area.  The first policy was written by AIG back in 1997.  Over time, the problem that has evolved today is that the businesses that want to get a Cyber Insurance Policy think that the carriers are simply gauching and taking advantage of them with a lot of red tape to go through only face very high premiums.

On the other hand, since this is all new territory to the carriers, they are still struggling to find their footing and even trying to break even, at best.  In fact, when they first started to offer Cyber Insurance, many of them decided how much the premium should be just based on a gut feeling.  There was no scientific approach to this, or even any form of actuarial science being applied to it.

Because of this, it was very easy to get an insurance policy.  As a result, claims from businesses started to pour in even for the smallest things, and the carriers started to face steep losses.  So fast forward to now, and the result is now that the carriers have been much more stringent before a business can apply for a policy.  Although I am not a total expert in this area, before a policy can actually be awarded, there is a lot of hoops that an entity has to go through.

For example, the owner of a business has to fill out a lengthy assessment questionnaire.  It covers everything from making sure the right controls are in place, to how datasets are being protected, if there are response plans in place to mitigate a security breach should it occur, and even making sure that a business is in full compliance with the various data privacy laws, such as the GDPR, CCPA, etc.

Also, the organization may be succumbed to getting a pre insurance audit done first before the policy can even be considered.  This is just another precautionary step that the carriers have started to take to make sure that the assessment questionnaire is 100% truthful.  Third, there are a lot of areas now in which a carrier will not make a full payment on, because the threat landscape is changing on a daily basis.

A perfect example of this is the Ransomware payment.  If a business paid the ransom, they would be reimbursed after they have filed a claim.  But because since this threat variant has exploded ever since the days of the COVID-19 pandemic, there are no payments being made on these kinds of claims.  In fact, if a victim makes an actual payment, they will be further dinged on their Cyber Policy.

So what can be done to bridge this ever-dividing gap?  Well, the CISOs of Corporate America and the insurance carrier have to come to sort of middle ground.  How can this be done?  Well, it all comes down to forming a partnership between the two.  In other words, the CISO should not view an insurance company as a nemesis, and likewise respectively, they should not view a prospective policy holder as a potential Gaucher.

This has to be a firm relationship, and it has to be based on quantitative measures.  The best area in which to get started is to come to some sort of mutually agreeable consensus as to what risk is.  Every company has their own way of defining it, and the insurance carriers have yet another way of looking at it.  Although there are many ways in which to calculate risk, there needs to be also some sort of baselines and best practices that all parties can be happy with the end.

Also, with the advent of AI and ML, calculating Cyber risk should hopefully be an easier task now.  By mutually agreeing on it, a fair policy can be struck on both sides. 

But in order to make this happen, the CISO has to share confidential information about the metrics they are using to calculate their certain level of risk.  Likewise, the insurance carrier has to make sure that they do indeed keep it confidential.  Once this first level of trust has been established, then perhaps this proposal will start to blossom into a long term one.

To get another insight into this, click on the link below:

https://www.darkreading.com/cyber-risk/why-cisos-should-get-involved-with-cyber-insurance-negotiation

 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...