Security Program Controls/Technologies

Cybersecurity Insurance Policies: Three Considerations

More: All Cyber Insurance News & Analysis on MSSP Alert

In a cyber climate where businesses are doing everything possible to minimize risk, nearly everything offered as an answer to this challenge is considered. It’s no surprise that cybersecurity insurance policies quickly caught the attention of data security professionals when they became available to purchase.=

While it’s in no way intended to be a silver bullet in the grand scheme of information security, cybersecurity insurance is a component of a risk management strategy that allows businesses to transfer certain aspects of financial risks tied to a security event onto the insurer.

Today, more and more businesses facing cyber risk are looking for new ways to mitigate it and any potential data losses, says Andrew Herlands, vice president, Global Security Architects at Trustwave. That’s why this form of compensation control is increasingly being considered in ensuring whatever risk appetite the business settles on is acceptable.

“Cybersecurity insurance isn’t that new of a concept,” Herlands says. “In the last few years—maybe even the last couple of years—organizations have started to buy into this type of policy.”

While you may not be in the process of buying cybersecurity insurance, there is some fundamental knowledge to grasp before making your decision:

1. Policies Are Not Mandatory

Are you obligated to purchase cybersecurity insurance? Well, it certainly isn’t mandatory if you believe your business is equipped to manage cyber risk. However, even if you’re second-guessing your organization’s cyber risk tolerance and your ability to manage it, no law or regulation requires you to purchase it.

Given the complexity of available policies, many businesses are passing up on cybersecurity insurance due to their high costs, confusion on what they cover, “and uncertainty that their organizations will suffer a cyber attack,” according to the Department of Homeland Security.

There’s no reason to write off a policy, however, especially if it plays a role in managing the acceptable risk the business has settled on.

“If I had to suggest one thing to a security leader, it’s to try and quantify what that risk is to your organization,” Herlands says. “The more data you store electronically, the wider your data center footprint is, which also leads to more people accessing that data. Those are all variables to consider when assessing your risk posture.”

Because cyber risks are difficult to measure given that attack vectors and attack sophistication continue to evolve, many policies can be costly. So, the better you define your risk, the higher the chances are for you to obtain a premium that reflects the needs of your risk mitigation strategy, and of course, budget.

2. Policies are Evolving Over Time

Similar to the threat landscape and the cybersecurity solutions marketplace, cybersecurity insurance has evolved.

Twenty years ago, cyber attacks primarily came in the form of a web defacement and a hit to the reputation of the organization. While there were breaches taking place, most organizations didn’t have all of their assets accessible online or on a network. Of course, that’s all changed now.

As businesses have digitally transformed themselves over time—with many using multiple cloud environments to store their critical assets—risk has only increased, says Herlands.

“The target landscape has blossomed, attackers have gotten much more sophisticated, and vulnerabilities are as dispersed as the data found in the business,” he says.

This causes policies to change over time. Cyber has been much more difficult to pin down for insurance providers because it is much more challenging to quantitively measure what risk an organization’s going to face that they want to insure.

However, as insurers get more competent and refined in understanding how to quantify risk, they’ve been able to tailor cybersecurity insurance, rather than take a broad-blanket policy approach. Now, many providers have put the onus on the business they’re insuring to take commercially reasonable steps to lower cyber risk.

“They have to have certain controls in place and also conduct an audit to ensure those controls are implemented effectively,” Herlands added. “It’s going to continue to evolve as insurers get more sophisticated and get more history in insuring organizations. They’re going to learn lessons that there are certain breaches they have to cover.”

3. The Right Security Tools Lower Your Premium

While it may be difficult to measure those risks in a quantifiable manner, one thing’s for sure; if businesses implement the proper and recommended controls from a security standpoint, they may be rewarded with more favorable terms.

Large organizations that rely on credit card processing, manage healthcare or financial records, intellectual property, or government secrets have a cyber miscreant’s bullseye aimed at them. In these cases, risks inherently skyrocket seeing as the sensitive data is so valuable to attackers looking to benefit from it in the underground economy. Naturally, the higher the risk, the more solutions will likely need to be in place to proactively combat cyber threats and protect the valuable databases housing sensitive information.

“Either the premiums are going to be high—relative to the size and complexity of the organization—or businesses can counter them by deploying certain policies, procedures and solutions in the hopes of reducing those insurance costs,” Herlands says. “In many ways, investing in a more robust data security program today will demonstrably reduce your risk and the high premiums that come with high risk.”

For businesses that take an adaptive approach to security, the likelihood of having a lower cybersecurity insurance premium is significant. This would then allow them to access a preferred premium that plays a role in the organization’s overall risk management strategy.

Over time, customers will become more mature and more competent in their cybersecurity initiatives, policies, and procedures and technology they employ. As the threat landscape continues to change, so will cybersecurity coverage to ensure they’re covering their customers.


Marcos Colón is the content marketing manager at Trustwave and a former IT security reporter and editor. Read more Trustwave blogs here.