Your 2018 guide to cyber insurance is here

CISOs need every risk mitigation technique they can get, and cyber insurance is a great tool to mitigate and transfer cyber risk but there are some key pain points they should know about.
Written by Forrester Research, Contributor

Today, no one is 100 percent secure -- believing otherwise is hubris of Icarian proportions.

This reality is a core reason why more organizations are turning to cyber insurance. Because without it in some form (whether it's a purchased policy or their own allocated cash reserves), they have no safety net to stymie losses from a serious cyberattack.

Also: IBM: A data breach will now cost your organization $3.86 million, if you're lucky

CISOs need every risk mitigation technique they can get, and cyber insurance can an effective tool to mitigate and transfer cyber risk. But getting the right coverage, terms, and services is far easier said than done.

Learn To Navigate Today's Cyber Insurance Market

Security leaders who take time to understand the ins and outs of the cyberinsurance market have a distinct advantage in everything from broker selection to policy negotiations.

This is why we launched our cyber insurance research: to guide our business and security clients through this $1.5 to $3 billion (and growing) market and to offer insight and best practices to better mitigate cyber risk.

Key Findings

What we found is a cyber insurance market that looks a lot different than even 2-3 years ago and keeps evolving quickly. Likely no surprise to security pros, many insurers' cyber offerings are their fastest-growing product lines. Still, insurers and security buyers alike grapple with a list of pain points. Here are some of our key findings:

  • The cyberinsurance market is maturing, but growing pains persist. We see positive signs that the market is growing up: more transparent policies, fewer contentious claim holdups, and insurers with a better understanding of cyber risk. Still, it's far from painless. Security leaders face countless hurdles, including pedantic legalese, pricing hikes, IP and reputation coverage gaps, and disconnected purchase decisions due to internal discord.
  • Buyers navigate a labyrinth of intertwining providers and partners. Our report maps out the intricate web of cyber insurance underwriters, brokers, reinsurers, consultancies, data analytics and cyber risk scoring providers, and carefully constructed carrier panels of post-breach services, such as incident response and legal counsel. And for large enterprises, there are self-insurance and captive options that may offer capitalization or tax advantages.
  • The devil is in the details. For both cyber insurance veterans and newbies, it's easy to make mistakes. Even a slight variance in your policy's definition of "computer fraud" can be the difference in millions of dollars of coverage. We break down cyber insurance coverage gaps and limitations into four categories: 1) Sublimits and Deductibles; 2) Explicit Exclusions; 3) Implicit Restrictions; and 4) Services Constraints. You'll want to read up on all of these before you start redlining your policy.
  • Choose your cyber insurance broker wisely. The most important cyber insurance relationship is between the CISO and broker. Whether it's selecting a cyber insurance carrier, updating your policy, or handling major claims, you'll turn to your broker first. During your broker selection process, make sure that their incentives prioritize your relationship -- not their relationships with partners. Review the services they offer, their cybersecurity acumen, partner ecosystem, and the experience of existing customers.

--By Nick Hayes, Senior Analyst, and Heidi Shey, Senior Analyst

Want to learn more about the cyberinsurance market and options for covering cyber risk? Download our report here [subscription required].

This post originally appeared here.

Previous and related coverage

Improve your cybersecurity strategy: Do these two thingshttps://www.techrepublic.com/article/how-the-cyber-insurance-industry-detects-the-next-big-attacks/

As cybersecurity gets more dangerous and more critical to organizations of all sizes, the answer is to prioritize your resources to guard the right stuff -- because you can't protect it all.

Cybersecurity report card: Why too many companies are graded 'could do better'

Lack of budget and the right skills are leaving businesses vulnerable to attack.

https://www.zdnet.com/article/cyber-security-report-card-why-too-many-companies-are-graded-could-do-better/How the cyber insurance industry detects the next big attacks TechRepublic

Jenny Soubra, Allianz's US head of cyber, talked with TechRepublic about counterintelligence measures on the dark web and Yelp-style sites for rating ransomware.

Cybersecurity insurance: What to look for when comparing policies TechRepublic

In a video interview with TechRepublic, Allianz's Jenny Soubra advised companies looking for a cyberinsurance policy. She recommended buying through a broker and looking closely at policy terms.

Editorial standards