Only 29% of US companies purchase cyber insurance. CFO’s, CEO’s and many retail insurance agents advise* that they don’t understand exposures, are confused by application process, and don’t understand the coverage.
“A CISO unaware that his own company had acquired an insurance policy to hedge against the cyber attacks he was hired to prevent sounds more like a plot line for an episode of the HBO series “Silicon Valley” than an actual business case. But such disconnect happens frequently in the wake of breaches, according to Julian Waits Jr., CEO of PivotPoint Risk Analytics. “Insurance is purchased in silos,” Waits Jr. says. “The two things that you think would go hand in hand as you deal with financial risk transfer hardly ever talk to each other.”
The CISO’s role in the procurement process needs to go well beyond completing an application for financial buyers. It is much easier for a CISO to understand a cyber insurance policy than it is for an insurance agent to understand and convey exposures to a CFO. We are aware of a healthcare CISO that used her existing MSP’s forensics services in response to a cyber event. When claim was filed with cyber insurer, these expenses (over $250,000) were denied as the MSP was not an approved panel provider on cyber insurance policy. Claims also have been denied or limited in recovery (in one case less than 40% of costs) due to policy conditions not understood by CISO.
In many cases, particularly with businesses under $250,000,000 annual revenues, it makes $ense for CISO’s to play a commanding role in procurement of cyber insurance.
*PartnerRe in collaboration with Advisen, “Cyber liability insurance market trends: Survey,” August 2015