Well, here we are in the last full weekend of 2023. The Social Media platforms abound on what is
going to happen in 2024. Well, as for
Cyber, the pundits have already started to make their claims. But one area that has been overlooked by
them and will continue to be a very hot button topic going into next year will
be that of Cybersecurity Insurance.
This is something I have written about extensively before, and
heck, I have even written an entire book about it. People think that getting a Cyber Insurance
Policy is the same thing as getting medical or car insurance. Unfortunately, it is not as cookie cutter as
that. There are a lot of variables that
are at play here, which are both quantitative and qualitative in nature.
Probably the one of the biggest reasons fo this is that
Cyber Insurance is still a relatively new area.
The first policy was written by AIG back in 1997. Over time, the problem that has evolved today
is that the businesses that want to get a Cyber Insurance Policy think that the
carriers are simply gauching and taking advantage of them with a lot of red
tape to go through only face very high premiums.
On the other hand, since this is all new territory to the
carriers, they are still struggling to find their footing and even trying to
break even, at best. In fact, when they
first started to offer Cyber Insurance, many of them decided how much the
premium should be just based on a gut feeling.
There was no scientific approach to this, or even any form of actuarial science
being applied to it.
Because of this, it was very easy to get an insurance policy. As a result, claims from businesses started
to pour in even for the smallest things, and the carriers started to face steep
losses. So fast forward to now, and the
result is now that the carriers have been much more stringent before a business
can apply for a policy. Although I am
not a total expert in this area, before a policy can actually be awarded, there
is a lot of hoops that an entity has to go through.
For example, the owner of a business has to fill out a lengthy
assessment questionnaire. It covers everything
from making sure the right controls are in place, to how datasets are being
protected, if there are response plans in place to mitigate a security breach should
it occur, and even making sure that a business is in full compliance with the various
data privacy laws, such as the GDPR, CCPA, etc.
Also, the organization may be succumbed to getting a pre
insurance audit done first before the policy can even be considered. This is just another precautionary step that
the carriers have started to take to make sure that the assessment questionnaire
is 100% truthful. Third, there are a lot
of areas now in which a carrier will not make a full payment on, because the
threat landscape is changing on a daily basis.
A perfect example of this is the Ransomware payment. If a business paid the ransom, they would be
reimbursed after they have filed a claim.
But because since this threat variant has exploded ever since the days
of the COVID-19 pandemic, there are no payments being made on these kinds of
claims. In fact, if a victim makes an
actual payment, they will be further dinged on their Cyber Policy.
So what can be done to bridge this ever-dividing gap? Well, the CISOs of Corporate America and the
insurance carrier have to come to sort of middle ground. How can this be done? Well, it all comes down to forming a partnership
between the two. In other words, the CISO
should not view an insurance company as a nemesis, and likewise respectively,
they should not view a prospective policy holder as a potential Gaucher.
This has to be a firm relationship, and it has to be based
on quantitative measures. The best area in
which to get started is to come to some sort of mutually agreeable consensus as
to what risk is. Every company has their
own way of defining it, and the insurance carriers have yet another way of
looking at it. Although there are many
ways in which to calculate risk, there needs to be also some sort of baselines and
best practices that all parties can be happy with the end.
Also, with the advent of AI and ML, calculating Cyber risk should
hopefully be an easier task now. By
mutually agreeing on it, a fair policy can be struck on both sides.
But in order to make this happen, the CISO has to share
confidential information about the metrics they are using to calculate their
certain level of risk. Likewise, the
insurance carrier has to make sure that they do indeed keep it
confidential. Once this first level of
trust has been established, then perhaps this proposal will start to blossom
into a long term one.
To get another insight into this, click on the link below:
No comments:
Post a Comment