Security risk assessments must evolve to respond to global market changesInfo-Tech Research Group explains in a new industry resource that the cyber insurance market is still evolving, so organizations should proactively manage their risk posture as a process cycle throughout the year to best keep up with changes. Access the full blueprint here.
June 1, 2023 /PRNewswire/ – The cyber insurance market continues to evolve rapidly, resulting in organizations finding it difficult to adapt to the continuous changes in requirements and costs. As insurance requirements shift, effectively managing cyber insurance will require organizations to manage risk more proactively. To help organizations assess and adapt their cybersecurity insurance policies to the market, global IT research and advisory firm Info-Tech Research Group has published its new blueprint, Assess Your Cybersecurity Insurance Policy.
“Cyber insurance has helped some CISOs rest easier amid threats of ransomware and data breaches, yet many industry pros have sour feelings about this type of insurance. They often argue that the whole thing is a ‘money pit’ because insurers won’t really pay up,” says Logan Rohde, senior research analyst at Info-Tech Research Group. “However, this view is too simplistic. The novelty of cyber insurance means that things are not yet standardized, leading some insurers to hide behind vague policy language to avoid paying claims that would bankrupt them or set claim-paying precedents that might run them out of business in the future.”
The newly published blueprint explains cyber insurance changes are meant to reduce the amount of risk taken on by insurance companies, often requiring changes on the part of the insured. The blueprint and research found within it show that the challenge with this approach is that some organizations may not know which controls to prioritize, and some are seeing prohibitively expensive premiums. Furthermore, alternatives to cyber insurance are not always apparent.
Understanding Your Organization’s Needs & Your Policy
“In many cases, cybersecurity insurance problems arise because policyholders do not fully understand what their policy covers and excludes. Once again, policy language is the underlying issue,” explains Rohde. “Therefore, it is vital to have a legal team review any language that seems unclear, especially concerning key areas of coverage like ransomware, data breaches, or acts of war.”
According to Info-Tech’s research, it is best to seek input from all parts of the organization to determine potential impacts accurately. Reducing the exposed surface area may also reduce insurance premiums, as insurance companies often use third-party vulnerability scanning services. By reducing the attack surface, organizations can reduce the number of potential vulnerabilities discovered by these services. An insurance broker can also help navigate the cyber insurance market, especially when comparing policies between insurance companies.
The firm recommends that policyholders understand the needs of their organization when it comes to risk management so they can plan an appropriate strategy. Some of the key considerations Info-Tech advises they should be aware of include:
- Risks and risk tolerance.
- The impacts of realized risk, cost of program maturation, and the benefits of having insurance in the event of an incident.
- Alternatives to cyber insurance.
The blueprint also explains the different areas that must be understood when it comes to cybersecurity insurance options, including:
Types of coverage
- Data breach insurance, which protects organizations from costs and impacts related to a data breach
- Cyber liability insurance
- First party, which protects the organization from direct impacts
- Third party, which offers protection from third-party claims
- Retention, which is a monetary amount that the organization must pay before the insurance company gets involved
- Deductible, where the insurance provides coverage from the beginning and will seek reimbursement for the deductible amount after the fact
Cyber insurance is only one possible risk treatment strategy that transfers risk to another entity. The research suggests that organizations can still reduce risk by mitigating or avoiding it and should work to improve their information security program, regardless of whether or not they intend to obtain cyber insurance.
For more information about Info-Tech Research Group or to access the latest research, visit infotech.com and connect via LinkedIn and Twitter.
About Info-Tech Research Group
Info-Tech Research Group is one of the world’s leading information technology research and advisory firms, proudly serving over 30,000 IT professionals. The company produces unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. For 25 years, Info-Tech has partnered closely with IT teams to provide them with everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.