Key to Better Cyber Coverage: Make Underwriters and Techies Talk More

As insurers continue their push to meet fast-evolving cyber insurance demands, the coverage thus far appears to fall far short of what is still needed. This could change if underwriters and information security experts work on their collective communication skills, according to a new industry survey.

The survey, from Advisen, SANS and PivotPoint RiskAnalytics, compiled responses from 203 information security experts and 195 insurer/broker executives. Their main findings reveal that information security experts see cyber coverage as falling short and addressing the wrong things. Respondents also said that insurers and information security pros they work with aren’t speaking the same language to each other.

However, improving communication skills could advance cyber insurance coverage by leaps and bounds, Julian Waits Sr., CEO of PivotPoint Risk Analytics, said in prepared remarks.

“It’s not about eliminating vulnerabilities that leave valuable assets exposed. It is about reducing the potential financial losses from cyber risk,” Waits said. “The next step for the industry, therefore, is to move beyond traditional security scorecard methods to quantify cyber risk in financial terms everyone understands and use common language to facilitate conversations between brokers and underwriters, [information security experts] and risk management, and insurers and insureds.”

The main findings are these: Less than half (48 percent) of chief information security officers and other information security professionals viewed cyber insurance as it exists now as “adequate” for properly addressing a data breach. Also, survey organizers found that only 30 percent of underwriters and 38 percent of information security folks who responded believed that both sides were speaking the same language.

In fact, they essentially use different languages for crucial elements of cyber risk evaluations, the survey authors found. Information security folks view cyber risk in terms of threats and vulnerabilities. They see these as something to address by creating defenses, policies and programs. But insurers think differently, looking at ways to reduce an insured’s risk of financial loss from when cyber attacks hit.

The survey authors also identified that information security and insurance experts use different frameworks and models to establish cyber defenses. Insurance goes quantitative versus qualitative, for example, but only 25 percent of information security responders said they are quantitative.

Because of these different approaches, it is particularly urgent to develop a more common language and approach toward developing cyber insurance, the survey authors concluded. One recommendation from this: Involve chief information security officers in the procurement process because they understand exposures. In turn, however, they need to develop a deeper understanding of how insurance coverage works and communicate more with brokers and underwriters.

Other survey findings:

• 44 percent of underwriters rejected coverage due to inadequate cybersecurity testing procedures and audits. Just over 40 percent did so because of poor processes companies used to stay current on new cybersecurity releases and patches. Another 38 blamed an inadequate cyber incident response plan.

• When considering buying cyber insurance, 42 percent rely on a chief science officer/chief information security officer and their internal security team. Just 8 percent rely on internal consultant and security experts. About 22 percent rely on internal and external resources. Very few rely on senior security management, even as 50 percent of C-level executives make a decision on cyber insurance purchases.

• Organizations are insuring data and information, and the applications and databases that manage them, though workforce-related risks are where cyber breaches occur.

• 71 percent of respondents want regulators to define due diligence for cyber and standards.

• Only 34 percent currently have cyber insurance.

PivotPoint Risk analytics provides cyber risk analytics; Advisen analytics and related research targets commercial insurance and risk professionals; the SANS Institute is a cooperative research and education organization.

Source: PivotPoint Risk Analytics, SANS Institute, Advisen