Organizations may perceive the lengthy and involved process, paired with rising premiums, as insurance companies taking advantage of them.
Insurance companies are struggling to balance soaring loss ratios that were particularly rampant a couple years ago.
Cyber insurance is nascent compared with other insurance segments.
The first cyber policy was written by AIG as recently as 1997.
In contrast, life and property insurance is well over 250 years old, and auto insurance more than 125 years old.
It's natural for there to be some growing pains in a process that is relatively new and evolving at a rate incomprehensible compared with areas like life or property insurance.
One of the biggest mistakes chef information security officers can make is not treating their insurance providers as a partner.
Thus, a system driven by macro-views was developed, where claims expectations were based on overall market losses applied across a pool of insureds.
The problem with this approach is that claims quickly started to exceed projections and insurers observed that the risk of loss was concentrated among a subset of policyholders.
Insurers became concerned about systematic or correlation risk, where a loss on one policy increased the likelihood of claims against other policies.
Things were quickly getting out of hand for insurers.
To mitigate the losses driven by macro-view-based policies, insurance applications have become significantly more complex and require detailed conversations, interviews, and site visits, with the goal of creating a tailored policy.
The trouble is that IT estates are in a constant state of flux throughout the policy period, which makes getting truly accurate and nuanced information via a questionnaire nearly impossible - even for organizations that are attempting to provide the most accurate and detailed information.
This has created an environment where there is substantial volatility in pricing and policy terms, leading to much of the tension between insurers and policyholders.
Where We Need to Go To truly become partners, organizations and insurers first need to agree upon a common goal: risk reduction.
On the insured side, CISOs are regularly framing budgetary conversations to the board in terms of risk, so there is agreed upon terminology.
The missing piece is establishing a way to measure risk that both sides are satisfied with so policy pricing can be based upon it.
From working closely with a large number of insurers, that isn't the motivation of any cyber insurers I know.
Once the insurers have that snapshot, they will be able to examine it and respond with details around key findings and prioritized remediation advice, allowing the applicant to make those adjustments and resubmit to get a better policy price.
At the end of the day, insurance providers and CISOs are all on the same team, so one of my biggest pieces of advice to CISOs: Treat your cyber-insurance carrier as a partner.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 27 Dec 2023 15:00:32 +0000