Cybersecurity Insurance

What Every CISO Needs to Know

Through the first six months of 2021, scammers demanded an average payment of $5.3 million from hacking victims, up 518% from 2020 (Cyberscoop). This rise in successful breaches — and MASSIVE increase in average payment — both contribute to the increase in demand for cybersecurity insurance.

Cybersecurity Insurance: The Rise

More and more companies are wisely seeking to add cybersecurity insurance to their toolkit of risk management practices. But while companies are examining options, they should also understand that they are entering uncharted territory. Insurance providers don’t have much available in the way of historical data and analytics to understand the depth of what they are offering. At the same time, more claims are being made than ever before and organizations seeking to add cybersecurity insurance don’t know how much coverage they require. The unknowns on both sides make it challenging for cybersecurity insurers to navigate what type of coverage to offer and at what premiums.

Myths and Misinformation Surrounding Cybersecurity Insurance

Cybersecurity insurance is still relatively new, but the stakes for both insurer and insured are increasing rapidly. Unfortunately, a couple of myths are prevalent among high level decision makers in many organizations that make the situation even more fraught than it needs to be.

Myth 1: Insurance Is Unnecessary

CISOs still have a problem communicating effectively with non-security related C-suites and boards about the concrete risks associated with cybersecurity. CISOs often struggle to convince their companies’ leaders to purchase cybersecurity insurance at all, let alone at a level sufficient to adequately cover a breach. Some leaders may believe that it’s not worth investing in preventative measures over a reactive approach if a ransomware attack or breach were to occur.

Unfortunately, this approach contributes to a lack of investment in preventative security measures, like sufficient cybersecurity insurance coverage. Between the assumption that “it won’t happen to us,” the belief that it’s cheaper to react rather than prevent, and a misunderstanding of what cybersecurity insurance covers, hesitant decision makers don’t feel the current state of cybersecurity insurance meets their needs now at a price point they are willing to pay. Unfortunately, they may end up paying a much steeper price when a breach does occur. 

Myth 2: Insurance Is More Than Sufficient

Conversely to Myth 1, other non-security related C-suite and board members may believe that by having cybersecurity insurance, they do not need to invest as heavily in other preventative measures against cyber attacks. They are under the impression that with cybersecurity insurance, they will be 100 percent covered if an attack occurs. 

This belief is another misleading approach, as more and more insurance providers are taking companies’ proactive security measures into consideration, and examining incident response plans to decide if they will cover a breach fully, partially, or not at all.

Cybersecurity Insurance: Key Takeaways

The increasing number of successful breaches and ransomware attacks has both driven premiums up anywhere from 20-50 percent in 2021 and increased the risks being underwritten (Business Insurance / American Land Title Association). Furthermore, some government regulators, such as the New York Department of Financial Services (NY DFS), are stepping in because they are growing concerned that some companies are using cybersecurity insurance as their means to dodge liability when a breach occurs. Regulators have begun pushing for cybersecurity insurance providers to utilize frameworks and risk assessments to determine premiums and coverage terms. 

Due to these factors, companies are starting to be held more accountable, and are unable to pass all cybersecurity risk costs off to their insurance providers. In some instances, boards and C-suite executives themselves are being held accountable for not investing in preventative security measures. Companies need to invest in preventative security measures or they may not be able to qualify for insurance coverage or continue it, as cybersecurity insurance providers are now reviewing history and preventative measures to determine eligibility and rates.

It’s time to demystify cybersecurity insurance, understand the insurance lifecycle, and stay up-to-date on the latest trends. Catch our upcoming webinar on cybersecurity insurance on October 27th to learn from the leading experts who will break down misinformation and provide real clarity on best practices.

Check Out Our Latest Posts