The need to balance offering coverage for cyber incidents with maintaining a profit has cyber insurers rethinking how they will approach measuring insured risk and exposure.
In a recent SecurityWeek article on the topic, Vishaal Hariprasad, CEO at cyber insurer Resilience described how cyber insurers have changed their tactics to minimize their exposure when taking on policies: “In 2016, you could buy a million-dollar cyber insurance policy and they would ask you, do you have your IT person, and did you guys buy a firewall? They never asked is the firewall turned on, because the insurance industry didn’t care back then.”
Hariprasad went on to describe the very different and better informed position insurers take today. “Insurers need to know, is your firewall turned on? Is it consistently patched? Are you continuously bringing in the right data feeds? And are you monitoring them?” What is needed is a new cooperative relationship between the insurer and the insured.”
In essence, organizations should begin to expect a new relationship dynamic between cyberinsurer and their policyholder’s IT departments – where insurers may need to gain a detailed understanding of just how secure the organization’s environment really is before issuing a policy.
In reality, this isn’t too far off the mark for homeowner’s insurance; your home is inspected down to the number of nails in roof rafters for the insurer to understand what exactly their risk is. In cybersecurity terms, it’s reasonable to expect cyber insurers to want to look through your security stance with a fine-toothed comb looking at every possible point of exposure to better inform themselves of just how much risk you pose before issuing a policy.
In the end, it’s going to result in improved security stances, and less claims for insurers. Everybody wins.