I heard recently that cybersecurity insurance isn't that great of a value anymore because insurance carriers are getting smarter about limiting the coverage. Is this true? What is needed to allow insurance carriers to calculate the real cybersecurity risks of companies they will provide coverage to?
The reality of cybersecurity today is that most organizations are just as vulnerable as Target, Home Depot or even Sony. Breaches at these other, less notable organizations just don't make it into headline news. The problem is that information security risk is still not taken into consideration when organizational technology decisions are made.
This way of thinking has created complex knots of insecure networks and applications that will take years for these organizations to untangle. They search desperately for an immediate solution to reduce the high level of risk exposure, but there are usually no quick fixes. This is when these organizations turn to the time-tested risk management tool known as insurance.
Cybersecurity insurance has quickly become one of the must-haves for any organization with information security risk exposure. The insurance companies were quick to develop products to meet this demand, but they have since learned what information security pros have known for a while, i.e., that most organizations are vulnerable and don't even have an understanding of their current level of risk.
This has led to the insurance companies reducing coverage to limit losses in an attempt to make this type of business profitable. The policies offered by these companies vary greatly, with some offering coverage for basic identity theft protection for victims, but no coverage for civil lawsuits or other damages. Organizations looking for cybersecurity coverage need to be diligent about reading the fine print of these policies to verify that they are getting the coverage they need.
The bad news for the insurance companies is that there is no definitive method for determining a prospective organization's true risk exposure, short of a full external risk assessment. Auditing certifications like the SSAE-16 could evolve from covering only service providers to covering all organizations using technology to support their business. These types of certifications are not perfect, but could at least give insurance companies some idea of their base level of risk exposure.
The certifications would also be a massive improvement over the simplistic security questions typically found on the applications for cybersecurity insurance. Insurance companies will have to fall back to the premise that most organizations are vulnerable until either there is a better way to determine organizational cybersecurity risk or organizations finally begin to take cybersecurity seriously.
Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
Learn the best way to choose a cybersecurity insurance policy for your organization.
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from Joseph Granneman
The consequences of phishing attacks could fall on the victims as enterprises start to punish employees who fall for this age-old scam. Expert Joseph... Continue Reading
CERT's ITPM certification is designed to help enterprises with their insider threat programs. Expert Joseph Granneman discusses the certification and... Continue Reading
Privileged users pose a growing threat to organizations. Expert Joseph Granneman looks at this insider threat and shares ways to mitigate it. Continue Reading