Cybersecurity insurance, once under the exclusive jurisdiction of risk managers, is becoming an increasingly collaborative experience for both risk and information security officers.
According to a recent report, the purchase of cybersecurity insurance is not only increasing – up 27 percent in the U.S. in 2015 – but the economic damage of a successful cyberbreach is also going up. Previously, traditional insurance policies may have included some coverage of cyber incidences, but now most insurers will require specific cyber insurance policies to cover these vulnerabilities, TechTarget reported.
Industry experts speaking with TechTarget noted that early cyber insurance policies were often very broad. Today, though, cyber insurance offers a range of nuanced coverage, which may include financial protections for data breaches, ransomware attack, forensic teams, notification expenses and other liability costs. Companies with specific risks, such as loss of valuable intellectual property, may also wish to customize their policies further. This is why information technology officers are becoming increasingly involved in selecting an organization's cyber insurance coverage.
Customizing a cyber insurance policy
As Security InfoWatch reported, the involvement of security officers is especially important as businesses navigate the many different policies and price points that are available to them. The number of companies purchasing cyber insurance increased approximately 250 percent between 2013 and 2015, the news website noted, but collaboration with cybersecurity professionals isn't increasing at the same rate.
Working with a security officer affords another advantage as well: It can help to lower the cost of the insurance the organization selects. Security InfoWatch found that many insurers offer lower rates to organizations that take active steps to reduce their risks. One way to do this is to have a cybersecurity program in place before purchasing insurance. This may include employee training on best practices, a breach response plan and internal and third-party audits of corporate networks, cloud providers or other services that access sensitive information. Organizations should also ensure all third-party vendors are complying with internal cybersecurity procedures during their interactions with networks or networked devices.
"Working with a security officer can ensure compliance with the insurer's cyberrisk mitigation requirements."
Reviews by security professionals may be especially important as the cyber risks covered by insurers evolve. According to New York Law Journal, some insurers may offer "stand-alone" policies adapted for the organization's specific needs, while others offer cyber-related provisions attached to other more general policies. Therefore, it is very important for an organization to understand the coverage provided by the specific policy it is purchasing, as well as the liabilities it must assume.
For example, if companies fail to follow the requirements laid out in their policy – such as not properly securing their servers or training employees on mitigating cyber risks – they may nullify their insurance coverage. Information security officers should be able to review the insurance policy and ensure all required actions are completed.
Additionally, organizations need to ensure they have purchased adequate coverage for their risks. As the Journal noted, following the notable breach of Anthem in 2014, the company exhausted its cyber insurance coverage through credit reports and notifications for affected customers alone. An information security officer will be able to help risk managers access the appropriate level of coverage for the organization.