The cyber insurance business is one of the fastest-growing in the country, but it is still not without its complications as a relatively new subset of insurance; a joint study recently conducted by cyber insurance research body Advisen and the SANS institute revealed that due to differences between insurers and clients, there is a tendency for gaps in cyber insurance coverage to occur.
Advisen’s part of the study polled 195 insurers and brokers while SANS’ part surveyed 203 information security and IT professionals, reported
cio.com. Results from both studies were combined into a single report, entitled “Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey."
The report acknowledges that due to misconceptions and varied opinions on how cyber insurance works (whether on the part of the client, the insurer, or both), cyber insurance gaps could result. The report identified four key areas that both insurers and their clients need to be on the same pages on in order to prevent any confusion on the matter:
- The Terminology Gap – Insurers and their clients must first acknowledge that they “do not share a common definition of the fundamental concept of ‘risk’.” While information security (infosec) experts on a client’s side would think in terms of possible threats and vulnerabilities and how to best deal with such through constructing defense systems, insurers think more in terms of reducing the client’s risk of financial loss from a data breach.
- The Assessment Gap – On one hand, infosec professionals understand that “assessment frameworks establish standard practices, metrics and costs for minimal levels of cyber hygiene and are used to measure and benchmark defenses against other organizations and regulations.” On the other, insurers lean towards quantitative models over qualitative ones, the latter of which most infosec experts often employ.
- The Communication Gap – Thanks to the two aforementioned gaps, there is sure to be a communication gap between insurers and their client over what needs to be insured. Likewise, underwriters and brokers, too, could get confused over what a cyber insurance policy can cover.
- The Investment Gap – Due to a lack of transparency in underwriting criteria, buyers looking to secure cyber insurance could end up investing in the wrong thing. Moreover, certain policy provisions and exclusions could require legal counsel to interpret.
It is suggested that to close these four gaps, a company’s chief information security officer (CISO) must play an important role in cyber insurance procurement.
“The CISO needs to be involved at a very early stage to map those exposures and to work with the risk manager to understand what those exposures are so that when the risk manager goes to the market he is able to explain it to the brokers who in turn are able to explain able to match it up with the insurers to select the correct coverage," said Advisen co-founder and chief strategy officer David K. Bradford.
Related stories:
Only a third of companies have cyber coverage
Cyber liability insurance slowly but surely grows in Louisiana
