In a relatively short space of time, the attitude of Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) toward cyber insurance has flipped 180 degrees. It used to be a major challenge for insurance brokers to engage IT department stakeholders who saw little value in insurance with the money better invested in mitigation tools. Many would agree that a red line was clearly crossed following the Target breach.
Today, CISOs support a risk transfer strategy and are directly involved in evaluating a cyber insurance program as evidenced in a recent Symantec white paper entitled “What Every CISO Needs to Know About Cyber Insurance.” Why has this happened?
Currently in the cyber domain, the attacker carries all the aces and the defender has little chance of a winning hand. Companies have a major challenge in preventing attacks from adversaries that now include the resources of nation states.
Cybersecurity professionals no longer view defense as a “prevention” exercise and have adapted their strategy to build “resilience” within the enterprise, thereby minimizing the financial impact. According to FireEye, attackers sit undetected on corporate networks for an average of more than 200 days. Detection can be extremely difficult and many companies today remain unaware they have been compromised.
In an environment where CISOs now accept risk, and do not view it is preventable, the increasing relevance of cyber insurance is clear. The challenge today is tri-fold:
- How to quantify the risk to identified corporate assets
- How much money to invest in mitigation
- How much cyber insurance to buy
Demand from industries that hold large volumes of payment card data and personally identifiable information such as Retail, Healthcare and Financial has skyrocketed. Demand will only continue to grow as risk to physical assets is now emerging to other industries such as Energy and Transportation.