A large majority of CISOs are seeking additional cyber insurance coverage because of an increase in vulnerabilities resulting from the work from home surge.
According to research by Arceo of 250 CISOs at companies with $250m to $2bn in annual revenue, over three-quarters (77%) said there are incidents they need coverage for, but are unable to get it. Also, 88% of respondents were not completely satisfied with the performance of their company’s primary insurance brokerage.
However, 96% want additional coverage, as they believe the security practices followed when working remotely are unlikely to be as stringent as those at the office, leading to a higher risk of attack. Those CISOs stated that cloud usage (49%), personal devices usage (45%) and unvetted apps or platforms (41%) posed the biggest threats during this work from home period.
Also, CISOs want cyber insurance to cover business email compromise (56% of respondents), loss of electronic data (55%), cyber-extortion (53%) and ransomware (52%).
Isabelle Dumont, VP of market engagement at Cowbell Cyber, said there needs to be more clarity over cyber-coverage for all stakeholders that deal with cyber insurance.
“Only a standalone cyber-policy can address this by matching every category of a cyber-incident – data breach, extortion and ransomware, social engineering, fraudulent fund transfer, and many more – with specific coverage and relevant definitions, including which device usage – home or office – is covered and much more,” she said. “Policyholders’ satisfaction directly depends on this as well as overall value provided whether or not there is a claim made during the policy period.”
Among the 77% of CISOs that identified incidents they feel they need coverage for but are report unable to get it, the most common unmet need is cyber-extortion, particularly at firms with the largest revenue. So is the onus on cyber insurance providers to be broader in their coverage, or clearer in what they will and will not cover?
Andrew Barratt, UK managing director at Coalfire, said: “Cyber-extortion (and extortion in general) has posed problems for the insurance markets because it is difficult to underwrite. In practical terms, the policy typically won’t cover ransom or extortion charges due to the legalities in different jurisdictions. Also, the ransomware that is typically used to execute extortion scenarios is something that exploits user error – so insurers have a tough time balancing the value of this risk.”
Barratt also said some brokers simply push a stock ‘cyber’ product and don’t spend the time understanding whether it covers all the things the business needs. “With the complexity of cyber-coverage options, it is really important to understand all exclusions, limits and risks being transferred.”
Barratt also recommended CISOs to look for more specialty cyber-coverage that starts with a discussion of their needs with the broker and, in some cases, the underwriters. “Risks are more likely to be accepted if an organization can show they have some controls in place to mitigate or detect issues and that potential exposure time can be controlled,” he said.
Mohit Tiwari, CEO and co-founder of Symmetry Systems, added that many organizations are often led astray when it comes to obtaining cyber insurance because they are too lost by buzzwords. “If insurers were able to offer coverage on the data itself, then even the top concerns for CISOs could be eased by the knowledge that the information most vital to their operations is safe.”
Register here our Fall Online Summit, which will include a discussion on the topic of cyber insurance.