Industry Perspectives

Cyber Insurance: What works, what doesn’t, what are the gotchas, what are the key considerations?

online privacy issues

Cyber insurance is not the savior of managing cyber risk, but it can and it should play a central role in helping organizations develop and implement strong IT security and enterprise resiliency capabilities in the face of dynamic cyber risk. This series is designed for risk-obligated executives who need to consider the role of insurance in their overall cyber risk management strategy.

Cyber insurance needs to be part of every company’s active consideration of its overall IT security strategy. Insurance is not a standalone solution, but rather another layer or component to integrate into the IT security posture to improve financial resiliency.

What Works?

What works is going through an active consideration of a risk-transfer process – working with a broker, coverage counsel, independent consultants, and an underwriter to go through the process of securing useful cyber insurance coverage.

What Doesn’t?

Buying cyber insurance off the shelf and not tailoring coverage to the needs of the business.

The Gotchas?

Exclusions, inadequate limits and sub-limits, buying coverage you don’t actually need or that doesn’t respond the way you expect or need it to.

Key Considerations:
  1. You can invest in security without insurance, but you shouldn’t be able to procure insurance without reasonable security. Regardless of your security posture, I recommend going through the cyber insurance process. The decision to buy insurance is a question of risk tolerance, and publicly traded entities in particular have greater scrutiny today as it relates to security. You don’t need to buy into the hype of cyber insurance, but going through a considered decision-making process is a wise investment.
  2. Go beyond the application form where necessary. The process of securing cyber insurance is as varied as 50 underwriters and more who offer the coverage today. Recognize that the application form is the starting point and answer the questions it asks, but answer the ones it doesn’t ask too. Be able to provide sufficient risk clarity to help ensure you are getting the desired coverage at fair prices. This will likely require some incremental insights beyond the insurance application process. Working with a reputable broker who understands the market, in conjunction with an underwriter who has a track record in offering cyber-insurance, is basic table stakes.
  3. An insurance policy is a legal contract. You need an attorney who is an advocate for you - not the underwriter - to review the policy, to review the insuring clauses, and to point out areas of additional consideration.
  4. Recognize that traditional technology defenses will often be central to the questions being asked on the application form, but the ability to demonstrate a dynamic defense posture will help move the risk needle. Underwriting questionnaires can be vague and ambiguous when inquiring about your security environment – take the time and effort to be clear about your security posture, and incorporate your use of intelligence, real-time or otherwise, and your ability to respond to losses, either in-house or through retained third parties.
FireEye and Cyber Insurance

Putting more effort into the insurance process, in theory, should positively influence your premium, the limits of liability, deductibles and policy language. FireEye provides insurance-focused risk assessments that help a prospective policyholder go beyond the basic application and include:

  1. Security Program Assessments
  2. Compromise Assessments
  3. Response Readiness Assessments
  4. Health Checks

FireEye is not a broker or underwriter, but we provide capabilities that enhance the role of insurance. Our goals are to update and inform the insurance community on how best to address and manage cyber risk, which in turn, informs the underwriting and claims processes. This helps our clients who suffer losses be more resilient in both their operational and financial recovery.

Underwriters should understand a potential insured’s ability to prevent attacks from occurring, but also assess an insured’s ability to detect, analyze and respond to exposures to minimize insured losses after they have occurred. This is where FireEye is investing time and effort with the insurance community to upgrade this approach. Our products and services are entirely complementary to an organization’s insurance program, provided the underwriter recognizes the value that FireEye clients have at their disposal when working with us.

FireEye strives to play a central role in the narrative around cyber insurance by teaming with the insurance community to help promote the adoption and implementation of cyber insurance.