February 14, 2021
CISOs, Risk Managers: Better Together
In most large firms, risk managers buy cyber insurance--but are rarely expert in network security and may not fully understand the risk profile.
Not so long ago, many chief information security officers (CISO) and other information-security professionals were offended by suggestions that their organizations should buy cyber insurance. After all, CISOs reasoned, if they did their jobs well, insurance would be unnecessary.
Fast forward to 2021. There probably isn’t a single CISO who believes that their organization is immune to potentially devastating cyberattacks. Recent news of alleged Russian penetration of well-protected government agencies and major corporations is one more reminder that any and every organization is vulnerable. Still, many CISOs are skeptical of insurance’s benefits and often are only tangentially involved in cyber insurance decisions.
CISOs are often concerned about perceived gaps in insurance coverage, about underwriting criteria that are misaligned with an organization’s security policies and procedures and about the willingness of insurers to pay claims. Some concerns are valid. For example, if an organization’s hardware is damaged by a malware attack, not every policy provides “bricking coverage,” which pays to replace impaired equipment. However, many CISOs’ concerns are based on now-outdated policy language and underwriting and claims practices. As cyber insurance has matured, underwriters are offering broader coverage with less burdensome underwriting requirements. Rather than avoiding claims, insurers are often trusted partners in responding to cyber events and managing their consequences.
Cyber insurance coverage may be more expansive now, but insurance buyers must still ensure that the protection they purchase is adequate and appropriate for their organization and its specific risk profile. In most large organizations, the risk manager buys cyber insurance. However, risk managers are rarely experts in network security and may not fully understand their organization’s cyber risk profile and control environment. This may result in purchasing insurance that does not adequately cover significant exposures, while over-insuring low-priority or well-managed risks. To ensure that cyber insurance aligns with the organization’s risk management needs, risk managers need to work with a broker who specializes in this type of coverage offering. Additionally, the risk manager and the broker need to include the CISO in the buying process.
CISOs and risk managers have a common mission — to protect the assets of their organization. In many organizations, they haven’t effectively collaborated — along with their broker and carrier partners — to achieve their common goals. Even when insurance is recognized as an essential part of the overall cyber risk management strategy, organizational silos, the lack of a common risk vocabulary and differences in risk management frameworks can impede cooperation.
According to a SANS Institute report, Bridging the Insurance/Infosec Gap, “InfoSec and insurance professionals acknowledge they do not speak the same language when defining and quantifying risk, leading to different expectations, actions and justification for outcomes.”
The SANS Institute does not offer a one-size-fits-all solution for closing the gap. Within an organization, successful coordination and cooperation depend on corporate culture, institutional obstacles and how motivated CISOs and risk managers are to cooperate on their common goal.
See also: How Risk Managers Must Adapt to COVID
A coordinated approach is more essential today than ever before. With so many employees working from home during the COVID-19 pandemic, using their personal networks and often their own equipment, IT departments and security professionals struggle to ensure network security. A survey of 250 CISOs by Resilience (named Arceo at the time of the study) found that cloud usage, personal devices usage and unvetted apps or platforms posed the most significant threats during this period of increased telework.
With so many factors outside the direct control of IT and information-security professionals, insurance becomes essential. But cyber insurance policies can materially vary, and not all insurers offer enough of the right coverage to satisfy an organization’s risk-transfer requirements. Once the corporate risk management and information-security functions are aligned, a broker can help navigate the universe of cyber insurance and help the client understand nuances in policy language to satisfy the organization’s risk-transfer requirements.
The outcome is an integrated program where insurance from secure and knowledgeable carriers is fully aligned with the organization’s risk profile and information-security strategy.