Last month, the SNIA Cloud Storage Technologies Initiative, convened experts, Eric Hibbard and Casey Boggs, for a webcast on cyber insurance – a growing area to further mitigate risks from cyber attacks. However, as our attendees learned, cyber insurance is not as simple as buying a pre-packaged policy. If you missed the live event “Does Your Cyber Insurance Strategy Need a Tune-Up” you can watch it on-demand.
Determining where and how cyber insurance fits in a risk management program generates a lot of questions. Our experts have provided answer sto them all here:
Q. Do “mega” companies buy cyber insurance or do they self-insure?
A. Many Fortune 500 companies do carry cyber insurance. The scope of coverage can vary significantly. Concerns over ransomware are often a driver. Publicly traded companies have a need to meet due care obligations and cyber insurance is a way of demonstrating this.
Q. Insurance companies don’t like to pay out. I suspect making a claim is quite contentious?
A. It depends on the nature of the claim and the amount of the claim. Most policies have exemptions, triggers, caps, etc. that have to be navigated. Avoiding payouts is bad business for insurance companies, which are operating in a very competitive space.
Q. How much does cyber insurance cost? Either an example or hypothetical.
A. Due to all the factors involved (e.g., size of organization, market sector, location, type of organization, policy coverage/exemption, and others) it is not possible to make general estimates. That said, many insurers have on-line quote capabilities that can be used to explore basic options and pricing.
Q. Do insurance companies do audits of actual practices, e.g. whether there are actual (vs. claimed) controls on insider access to confidential data? Either before issuing a policy or after an incident. If so, how are audits done?
A. It depends on the nature of the coverage. The organization may need to supply certain documents (security policies, incident response plan, etc.) and make assertions about its operations. Policy discounts can be dependent on audits (insurer or third-party). Also, a claim may trigger an investigation/audit.
Q. Is it possible that business executives see an insurance policy as simply a safeguard against a cyber-attack?
A. Yes, it is possible and the fear of ransomware could be a key motivation. However, such a simplistic view is not likely to be productive. Cyber insurance needs to be an element of your overall risk program and carefully matched to the organization’s needs. You don’t want to learn that you purchased the wrong kind of insurance after an incident. That is like being victimized twice.
Q. To what degree do businesses need to do risk assessment – is it not just an IT/data security problem?
A. Assessing your risk and determining your risk appetite are critical prerequisites to purchasing cyber insurance. Without these insights there is no way for the organization to know what kind of coverage it should get. Such an activity should be driven by the CFO or someone with responsibility for the operations of the organization. IT (via the CIO) and data security (via the CISO) should play a supporting role but they should not be the drivers.