Connect with us

Hi, what are you looking for?


Cyber Insurance

The Hidden Strategic Advantage in Cyber Insurance

“Organizations with cyber insurance benefit from a greater peace of mind as well as the opportunity for more effective cybersecurity practices and operational resiliency”

“Organizations with cyber insurance benefit from a greater peace of mind as well as the opportunity for more effective cybersecurity practices and operational resiliency”

Maintaining security and integrity across an organization’s cyber networks is a complex, collaborative initiative impacting all facets of the organization. “Cyber” touches everything in the modern enterprise. Which means cyber risk exists from every angle in the organization.

In spite of steadily progressing defensive measures, the toll of successful attacks continues to spiral upward. Successful breaches against Target, Home Depot, eBay, the Defense Department and Sony are but a fraction of recent intrusions.

Particularly troubling are recent reports of serious attacks, thought to be from Iran, in which destructive malware was planted in over 50 target organizations, including airports and commercial airlines, around the world. These cases demonstrate the expanding tempo and complexity of cyber intrusions across the spectrum of global institutions.

Cyber Insurance

Recovery from data breaches is a costly, resource consuming and highly disruptive process. There is a cost for protection, of mitigation, of recovery, of layering in additional defenses, and of dealing and complying with a highly complex legal and regulatory privacy landscape. Beyond hard costs, there is a growing fear of reputational risks and brand damage, the impact of which crosses into the critical areas of customer loyalty, operational dependability, even organizational viability.

Seeking to contain or at least stem the threats to their organizations, many executives are increasing cybersecurity funding. A recent PricewaterhouseCoopers survey indicates that financial services companies plan to increase cybersecurity spending by some $2 billion over the next two years. Following the recent massive data breach at JP Morgan and at least a dozen other firms, CEO Jamie Dimon spelled out his plans to double the bank’s current $250 million annual cybersecurity spending over the next five years.

Specialized business practices are being deployed to shore up security platforms and processes. Rapid data breach response teams and cyber defense exercises such as cyber war games, to name two, are seeing increasing use.

Advertisement. Scroll to continue reading.

Seeking to limit their losses following attacks, organizations are increasingly pursuing cyber insurance. According to business advisor Betterley Risk Consultants, at least 75% of businesses with more than $1 billion in annual revenue are expected to have cybersecurity insurance in the next several years. Smaller and midsize firms are also exploring cyber insurance with increasing frequency.  

For perspective on the fast-developing subject of cyber insurance I turned to Roberta Anderson, a partner in the Pittsburgh office of global law firm K&L Gates and co-founder of the firm’s global Cyber Law and Cybersecurity practice group. I asked her what key forces are driving the demand for cyber insurance and what advice she gives her clients on how such coverage best fits into an overall cybersecurity strategy.

“The Target data breach was a tipping point in executive thinking about cybersecurity,” she replied. “The resignation of the Target CEO and the requirement to deal with over 100 putative class action suits, shareholder litigation and regulatory investigations, coupled with the industry-wide wave of breaches which followed were a wakeup call to C-suite executives: it was time to start communicating more effectively with the chief technology, privacy or information officer.”

Leading to accelerated searches for more effective cyber defense capabilities? I asked.

“Beyond an increased defense tools focus, what is more important is the growing acceptance that effective cybersecurity strategy requires enterprise-wide participation and is not something that can just be ‘turned over to IT’ to deal with. This was also the point where cybersecurity was becoming recognized as more of a risk management issue than just a technology issue.”

Managing Director of Cybercrime at PricewaterhouseCoopers LLP MacDonnell Ulsch recently stated: “IT security discussions were once a foreign language in the boardroom. Today, many boards are racing to connect the dots between ‘IT,’ ‘security,’ ‘cyber,’ and ‘risk.’ They get risk. They have a fiduciary responsibility to do so, and [in cyber] the risk clock is ticking.”

Is this your perspective?

“Yes, and even in a broader sense,” Anderson answered. “Addressing cybersecurity as a risk management issue involves attention to vendor selection and management, organization-wide cybersecurity practices, employee training, insurance, and a host of other related issues. Cybersecurity events will happen. More often than not, executives will be judged by the board on their handling of the attack and their resilience in returning the organization to normalcy of operation.”  

Normalcy to include effectiveness dealing with customers, suppliers, vendors, regulators and other stakeholders?

“Without question. What I feel is an extremely valuable aspect of cyber insurance is the degree to which even just evaluating coverage assists organizations see critical gaps in their enterprise-wide cybersecurity resilience that need to be addressed.

An evaluation leading to specific steps for cybersecurity improvement?

“The insurance evaluation process can provide the organization with a strategic roadmap for improved cybersecurity practices. Further, insurers are excellent sources of information on contacts for outside professional resources ranging from crisis management, legal and public relations support to specific technical expertise in case of a breach. This information is particularly valuable for the smaller or mid-market companies who do not have the resources of a Fortune 200 firm.”

How much cyber data breach protection is covered by general insurance policies?

“General liability coverage policies can’t be relied on to cover cyber incidents. In today’s breach-filled environment, smaller firms in particular are rolling the dice, perhaps even betting the future of the company, without at least some separate cyber coverage. The risks of not protecting against cyber intrusions are simply too high for most smaller to mid-size organizations to deal with on their own.”

I asked Anderson for her closing thoughts.

“We live in a challenging, interconnected world filled with vulnerabilities,” she said. “Cybersecurity needs to be built into enterprise business practices, not merely tacked on after the fact. Second, the organization’s crown information jewels must be safeguarded. It is critical that technology be matched to the organization’s risks. Information such as client data or proprietary product research deserves greater protective measures than, say, inventories of corporate fixed assets. Without properly targeted protective measures, business models are vulnerable and in some cases unsustainable.”

“Those organizations with cyber insurance benefit from a greater peace of mind as well as the opportunity for more effective cybersecurity practices and operational resiliency,” Anderson concluded. “These are gifts most do not expect but which many receive.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...