top of page

The Complex Relationship Between Cybersecurity and Cyber Insurance

In a dynamic exchange of ideas, cybersecurity and insurance industries converged at a recent Black Hat "mini summit," dedicated to refining their collaboration strategies. The summit, centered around cyber insurance, delved into the necessity of such coverage, its evaluation criteria, and its role for Chief Information Security Officers (CISOs). Nonetheless, a lingering question remained: is underwriting keeping pace with the evolving landscape of cybersecurity threats?

The discussions focused on the calculation of cyber insurance premiums, a topic fraught with disagreement. Advocates of cyber insurance maintain that this coverage offers a buffer against financial anxieties post-cyberattack. Nevertheless, experts cautioned that the comprehensive costs of an attack, including subsequent forensic investigations, downtime, and credit monitoring, must also be considered. The recent $250 million expense incurred by Applied Materials due to a ransomware attack underscored the reality of these costs.

Catherine Lyle, the head of claims at Coalition, emphasized the significance of active insurance in steering a company back on course after an incident. She also highlighted the increasingly sophisticated tactics employed by threat actors, who are now skilled in using the English language to locate sensitive financial data, thereby enhancing the risks faced by organizations.

Amid the growing prevalence of phishing-enabled attacks like ransomware and business email compromise, Ed Ventham, co-founder of Assured, a cyber insurance broker, noted that such incidents significantly impact insurance policies. Ventham highlighted the importance of assessing clients' cybersecurity measures, including endpoint protection, system monitoring, and patching procedures.

With an insightful perspective, John Caruthers, CISO at Triden Group, acknowledged the evolving perception of cyber insurance. He likened it to a motivational tool for enhancing cybersecurity measures rather than a direct substitute. Caruthers drew parallels with the medical and automobile insurance industries, emphasizing the absence of historical data in cybersecurity, which necessitates a focus on essential requirements such as multifactor authentication and incident response plans.

Steven Schwartz, VP of Insurance Strategy & Underwriting at Safe Security, encapsulated the essence of the evolving relationship between cyber insurance and security: "In today's interconnected, digital world, organizations of every size and in every sector can benefit and leverage cyber insurance to enhance their resilience. The cyber insurance industry is now driving partnerships across the security ecosystem to assess and underwrite insureds based on quantitative, inside-out cyber-risk assessments. With an inside-out, quantitative cyber risk assessment, organizations can understand precisely what security gaps exists, exactly which assets are exposed to those security gaps, and how to remediate and prioritize them based on the quantitative impact to the assessed organization."This sentiment reflects the growing impetus for organizations to embrace cyber insurance not merely as a reactive measure but as a catalyst for bolstering their cybersecurity posture.

As industries forge ahead in this complex landscape, the collaboration between cybersecurity and insurance is proving pivotal in fortifying organizations against the escalating tide of cyber threats. ###

Comments


bottom of page