The last day of RSA is usually a ghost town. So I was surprised to find hundreds of folks crowding into seats for a Friday morning session, all to hear Robert Jones and Garin Pace of AIG discuss “Debunking Myths for Cyber Insurance.”
The scene was as unexpected as a traffic jam in the desert. After my initial shock, however, I came to realize that the crowd was entirely predictable. At IANS, we’ve been fielding plenty of cyber insurance inquiries from our clients,
and the market is on the rise. Jefferies & Company projects that it will grow from $3B in premiums in 2017 to $7B by 2020.
During their talk, Robert and Garin argued that organizations should use insurance to close the “last mile” of their cyber risk. Instead of buying another layered vendor solution to address a deficiency, they suggested that
companies should use cyber insurance to close that final gap because it covers more and cost less. It’s a compelling idea – especially to CEOs and CFOs weary from year-over-year cyber expense increases. An organization
could slow (maybe cap) its cyber-budget growth by covering the residual risk through insurance.
So, are Fortune-class CISOs buying into these arguments? No, not really. The line for questions after the RSA presentation was twenty people long, and after speaking with eleven IANS CISO clients, I found plenty of skepticism and dissatisfaction.
Here’s what I learned about the current state, and how we all might move forward.
1. Everyone Has Cyber Insurance, But Everyone is Skeptical: CISOs are skeptical of all vendor offerings, but particularly so around cyber insurance. Every CISO I spoke with has cyber insurance. It’s nearly ubiquitous in Fortune-class
organizations. Yet everyone complained about policy language that was “confusing” or “obtuse,” or even “bordering on deceitful.” A universal refrain was that the underwriters have made the language,
the policies, and the coverage so complex that many CISOs lacked confidence that they would be covered if a breach actually did occur.
Suggestions for CISOs: As it matures, cyber insurance will become an increasingly valuable risk transfer tool for your organization. Rather than discount it, dig in. Become more involved in the details of your policy and take
the lead when your policy is up for renewal.
Suggestions for Underwriters & Brokers: Based on my conversations, your clients either don’t understand their policies or doubt that their policies will pay out due to the complexity and the opacity in the language.
This needs to be rectified for cyber insurance to reach its market potential.
2. Purchasing Coverage is a “Finger in the Air” Exercise: Most CISOs admitted that little serious thought or analysis went into how much cyber coverage should be purchased. Coverage amounts were often dictated by the Board
or the CFO or arrived at by negotiating with the broker how much coverage XXX premium dollars would buy. Many CISOs consider their coverage limits to be insufficient; sometimes grievously so. “Our coverage would be less than
a band aid,” shared one CISO, “if we had a significant breach…”
Suggestions for CISOs: Stop the guesswork. Only one CISO I spoke with used a loss methodology (in this case computing the ALE using FAIR) to arrive at the appropriate coverage amounts. This approach – or something similar
– should be common practice.
Suggestions for Underwriters & Brokers: Educate your existing and potential clients on the trade-offs between premium dollars and coverage. CISOs are engineers by nature and/or training. They’re not comfortable with
“finger in the air” exercises. If you’re going to build lasting client relationships, this will need to be clarified.
3. InfoSec Maturity Should Be Rewarded: A clean driving record lowers your auto insurance premiums. Regular trips to the gym earn health insurance rebates. But CISOs believe that companies pay the same premiums, regardless of their risk
profile and InfoSec maturity.
“Why aren’t the underwriters relying more on external data, like our FDIC audits and external audits of our control environment, to make underwriting and cost decisions around our policy?” asked a CISO at a mid-sized
bank. “And when will I start seeing premium reductions based on maturing my program? I’m just not seeing this now.”
Suggestions for CISOs: Educate your brokers and underwriters on your program’s strengths. As this dialog proceeds, negotiate more features and/or premium reductions based upon your program’s maturity.
Suggestions for Underwriters & Brokers: Underwriting should start reflecting an organization’s cyber maturity. CISOs and organizations want to see the fruits of their good cyber work rewarded with expanded coverage,
reduced premiums or both.
* * *
Ultimately, what we need here is a more in-depth conversation between the two sides. CISOs need to clarify their concerns and demands. Insurers and brokers need to listen and better explain their underwriting approach.
This discussion is compelling enough that we’ve decided to include Cyber Insurance Panels in our Fall 2018 CISO-only curriculum. At our upcoming Chicago, Atlanta, and Boston CISO Roundtables, executives from underwriting and brokerage
firms will participate in a discussion with the assembled CISOs. I’ll be moderating the session and I promise you that it won’t be boring!
Take a look at the CISO Roundtable calendar for the Fall. If your schedule allows, please come join us.