Organizations in nearly every industry deal with cyber risk on a daily basis, and the sophistication of attacks is only growing. As attack vectors evolve and risks increase, the need for organizations to find the best of both cybersecurity and cyber insurance is increasing in tandem. It is imperative for business leaders to understand these once distinct areas of investment and how the merging of the two has led to opportunities to make smarter investments.
Cybersecurity Vs. (Traditional) Cyber Insurance
Although cyber insurance and overall cybersecurity both focus on keeping organizations afloat in the face of cyber incidents, the reasons behind implementation have historically differed.
At its core, cyber insurance protects an organization against financial losses following a cyberattack. As a result, its purchase and implementation have typically been handled at the executive level by the risk manager or finance leader who manages the rest of the organization’s insurance portfolio. It was traditionally treated, like most insurance, as a passive hedge.
Cybersecurity, meanwhile, focuses on protecting data, software and hardware, keeping threat actors out and the business operational. Security is handled by people—a chief information security officer (CISO), CTO or lower-level IT manager—who inhabit a world focused on emerging threats, evolving solutions and technology trends. For them, financial loss is a second-order problem—a potential consequence of failure, yes, but not the primary concern. Rather than a hedge, it’s an active, constant battle.
These differing outlooks meant that, traditionally, cyber insurance and cybersecurity were separate propositions. Nearly everything that InfoSec or IT leaders do in the service of improving , from following the guidance of frameworks like NIST to adopting the latest endpoint detection and response (EDR) solution, leads to a stronger security posture and lower risk. But those objectives may not have historically been factors in the insurance conversation at all.
That’s because traditionally the underwriting of cyber insurance was treated much like other lines of commercial insurance. The focus was on tallying up potential losses (“how many customer records do you have that would be subject to regulatory fines if exposed?”) and determining which broad industry and revenue segments an organization fit into. In the past, a cutting-edge cybersecurity program might have impressed an underwriter enough that they’d view the application with a favorable eye, but ultimately, the things that drove rates were mostly outside of a CISO’s control. You can see why cyber insurance was initially met with a healthy dose of skepticism from many security practitioners.
Convergence: Understanding The Intersection
The good news is that cyber insurers adapted. Years ago, Insur Tech startups offering cyber policies developed automated security assessment tools for underwriting and began offering additional services such as detailed risk reports to policyholders. It wasn’t until more recently that we’ve seen the true power of these tools and the data they gather. What were once seen as nice-to-have benefits have become critical to the future of the market.
The inflection point came after a surge in ransomware attacks, when some in the cyber insurance industry made a deliberate shift in their approaches. In addition to charging rates that better reflect the true risks covered, cyber insurers also started to include new requirements that are, crucially, backed up by data that proves their impact on cyber risk. InsurTechs parsed their troves of data to pinpoint security factors—such as specific email security tools or the consistency of software patching—that have a tangible impact on risk and built those into policy subjectivities.
Recommended News: https://prnotes.com/category/cybersecurity/
This InsurTech-driven approach has led to the increased convergence of cyber insurance and cybersecurity. Whereas before the CISO may have been asked to simply fill out a lengthy questionnaire about their IT system, they’re now likely to take on a consultative role in validating a risk assessment performed by the insurer and called upon to work with the insurer or broker to implement required updates for a policy. In many cases, we’ve seen that the newer requirements are changes the security leader had struggled to get buy-in to put in place earlier.
This alignment between the goals of the cybersecurity team and the needs of the insurance buyer has succeeded in bringing two worlds together.