ISBuzz Experts Views on Cyber Security Insurance

As part of our expert panel question series, we have the following question for the month of Feb 2017 to our expert panel members.

Feb 2017 Question: As Cyber Security insurance industry evolves, we might see different types of cyber security coverages and not just the blanket cover as extension to existing risks. How will cyber security insurance shape the cyber security market in coming years with these different type of insurance coverages?

Expert Response:

Brian A. McHenry

Cyber insurance is manifesting in much the same way as past regulatory compliance initiatives, such as PCI and HIPAA. In order to establish due diligence on the part of the insured, cyber insurance policies are compelled to provide policy and procedure for what constitutes effective cyber security measures. In insurance jargon, these measures would be “minimum required practices”. Over the past year, there’s been concern that cyber insurance policies wouldn’t cover breaches over emerging vectors, such as the so-called “whaling” attacks which were phishing attacks against C-level executives over email and social media.

With these precedents already set, and with small businesses likely most vulnerable to bankruptcy (or other catastrophe) in the wake of even a small breach, tiered policies or alternative coverage models are sure to become popular. Small to medium businesses (SMBs) are more likely to leverage cloud or SaaS services to mitigate risk, such as those offered by Microsoft or Google for back-office. For these organizations, the liability scope is then contained to perhaps a few Internet-facing services for which they bear full responsibility. A CISO/CIO/COO in these organizations is apt to look for cost-controlled cyber insurance coverage that mirrors their risk exposure.

Over time, cost of cyber insurance coverage levels will provide additional pressure to move critical Internet services to cloud/SaaS providers. This additional pressure to “move to the cloud” will even be true in the large enterprise, not just the SMB. However, expect infosec teams to provide some resistance, since relocating risk to a third-party does not necessarily lessen the risk. In the final analysis, expect cyber insurance to help improve cyber security posture for many organizations, as policy payouts are contingent upon documented employment of the minimum required security practices.

You can read our expert panel members biographies here.