In a relatively short space of time, the attitude of Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) toward cyber insurance has flipped 180 degrees. It used to be a major challenge for insurance brokers to engage IT department stakeholders who saw little value in insurance with the money better invested in mitigation tools. Many would agree that a red line was clearly crossed following the Target breach.
Today, CISOs support a risk transfer strategy and are directly involved in evaluating a cyber insurance program as evidenced in a recent Symantec white paper entitled “What Every CISO Needs to Know About Cyber Insurance.” Why has this happened?
Currently in the cyber domain, the attacker carries all the aces and the defender has little chance of a winning hand. Companies have a major challenge in preventing attacks from adversaries that now include the resources of nation states.
Cybersecurity professionals no longer view defense as a “prevention” exercise and have adapted their strategy to build “resilience” within the enterprise, thereby minimizing the financial impact. According to FireEye, attackers sit undetected on corporate networks for an average of more than 200 days. Detection can be extremely difficult and many companies today remain unaware they have been compromised.
In an environment where CISOs now accept risk, and do not view it is preventable, the increasing relevance of cyber insurance is clear. The challenge today is tri-fold:
- How to quantify the risk to identified corporate assets
- How much money to invest in mitigation
- How much cyber insurance to buy
Demand from industries that hold large volumes of payment card data and personally identifiable information such as Retail, Healthcare and Financial has skyrocketed. Demand will only continue to grow as risk to physical assets is now emerging to other industries such as Energy and Transportation.
This post marks the first in a three-part series stemming from Beeson’s authored chapter in the new book, Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers. Published by Palo Alto Networks and the New York Stock Exchange, Beeson’s chapter, “Investment in Cyber Insurance” offers insights on the value of cyber insurance, how it works, and how the government sees it as an incentive to drive stronger enterprise security.