The ever-growing volume of cyberattacks and online threats helps make purchasing cyber insurance a routine activity for many organizations. While insurance has generally been the responsibility of the organization’s board of directors, in collaboration with the CFO, the technical nature of cyber risk means that The CISO is increasingly being asked to join the conversation.
Indeed, cyber insurance has become the norm for many organizations. More than half of those interviewed in the latest Dark Reading interview Strategic Security Investigation say their organizations have some form of cyber insurance coverage. While 29% say cyber insurance coverage is part of a larger business insurance policy, 28% say they have a policy specifically for cybersecurity incidents. Nearly half of organizations (46%) say they have a coverage policy ransomware payments.
A cyber insurance policy helps organizations pay for at least some of the financial losses they might suffer in the event of a data attack or breach, such as costs related to incident investigation and response, remediation, crisis communications, ransom/extortion, legal liability and loss of revenue. While insurance doesn’t “eliminate the need for proactive and resilient cyber controls,” it offers a “safety net” for potential financial losses, according to a new report Google Cloud CISO Office’s “Perspectives on Security for the Board” report. The goal of this report series is to enable boards of directors to take a more active role in overseeing the organization’s cyber risk.
“The financial and legal ramifications of cyber attacks require meticulous insurance strategies, but realizing them requires a deep understanding of evolving risks,” the report says, before recommending that boards facilitate cooperation between the security organization – with technical skills – and financial organization – with particular attention to financial impact.
Collaborate on a stronger story
“How to talk about risk and how to manage and mitigate it is becoming increasingly important for the CISO organization,” says Monica Shokrai, head of enterprise risk and insurance at Google Cloud, while noting that communicating risk upwards is something that The CFO has been “always doing it”. Instead of trying to turn CISOs into “cyber CFOs,” the two organizations should work together to develop a coherent, integrated strategy for the board of directors, she says.
The financial organization is used to quantifying risk, deciding how much risk an organization has, and then optimizing an insurance program to decide how much risk to retain versus how much risk to transfer. Since the finance side of the business is inexperienced in cyber risk, they are less likely to adopt the right model. The security side of the house has that expertise and understanding of cyber risk and technology. Quantification of cyber risk helps model potential losses.
“The CISO’s technical expertise is invaluable, but the real power comes from translating risks into their potential financial impact on the business,” Google Cloud wrote in the report. “By working with the finance department and using public data on breaches along with company incident history, companies can develop a robust cyber risk model.”
The board examines the company’s risks, tries to determine how those risks affect the company’s balance sheet, and then decides how much risk to transfer. Calculating the financial impact is part of the insurance strategy and is similar between cyber insurance and other types of insurance. Traditional insurance, such as auto liability or worker’s compensation, is based on well-established case law, so the average board member knows what is and isn’t covered. In contrast, cyber insurance is still evaluating exclusions, such as cyber warfare, systemic risk and generative artificial intelligence.
“What is still emerging about cyber insurance is that boards are starting to recognize the extent of the risk they face as an organization,” Shokrai says.
It is never too early for security and finance to collaborate on cyber risk management as the finance team already needs to think about which risks to accept and which risks to insure against.
“If you start by quantifying cyber risk, you at least have a baseline that you can adjust up and down over time and that you can iterate on. Expect that you will continue to adjust that model as you learn more,” Shokrai says. “You might even start the collaboration early and improve both teams in the process.”