Is Cyber Insurance Necessary?

"Security experts are split on cyber insurance and its place in business, with just as many arguing that it is a useless add-on as an essential business enabler." A KPMG study indicated that these policies were not overly trusted by business leaders. In this podcast episode, Erica Davis, Global Co-Head of Cyber, Guy Carpenter & Co, discusses at length the different types of coverages, how underwriters evaluate and assess cyber risks, the current state of the market, re-insurance mechanisms, and more. She also offers valuable guidance on how to plan and approach cyber insurance-related decisions.

Time Stamps

01:56

So let's begin by talking about you your professional journey, your current role at Guy Carpenter.

04:52

So, you know, I had reached out to a couple of my CISO connections, I told them that I was going to be talking to you and if they have any questions of interest. So one of them sent this to me, he said, Why should we get cyber insurance now? It seems that in the last 12 to 18 months, the industry has moved away from insuring verticals, companies, or has made the cost of coverage so high, that it raises the question of why not just self-insure? How would you react to that statement or question?

09:26

As somebody who carries personal insurance of different types, one of the things that I worry about is when the time comes when I submit a claim, will the claim be honored? Will I have a good experience? What do you have to say from the standpoint of a cyber risk insurer?

12:17

Many of the listeners are possibly thinking about cyber insurance, but they're not sure where to start. What should be the next steps? What are some resources that they might find valuable? Any suggestions for them, recommendations?

13:47

What are some key elements of a good cyber insurance policy?

16:33

Is it fair to assume that an organization that has a very strong or robust cyber defense in place is likely to get a better deal compared to another organization?

18:36

I'll be curious to know that based on your experience of assessing culture resiliency, what are the things that you look for, as an insurance company?

21:14

I'm sure it is safe to assume that even after an organization gets coverage, it will be continually assessed, to make sure they remain eligible for the coverage?

23:48

I heard this from a practitioner that if we buy a lot of cyber insurance, that often gives the impression that we are not good at cyber. And it poorly reflects on the CISO and the CISO function. Is this a common sentiment or just an outlier?

26:05

Let's talk a little bit about self-insurance mechanisms.

30:17

Is there any merit to this inference of mine: having cyber insurance gets organizational attention which in turn motivates efforts towards greater cyber resiliency?

34:08

Does the insurance company take into consideration how actively engaged is top management? Is that a factor in the evaluation of an organization's cyber risk and subsequently, and whether to provide coverage or not?

Memorable Erica Gates Quotes

"In the US, there are actually more buyers of cyber insurance than there are outside of the US. So a greater percentage of businesses buy. And the reason for that is largely driven by a regulatory environment."

"Cyber risk is different. Assessing its value is a challenge. The quantification of what happens if a cyber event occurs is difficult to put a number on for many organizations. And it gets even more complex when we think about measuring cyber risk beyond the four walls of the organization."

"Quite frankly, as an industry, I don't think we've done a really great job at defining cyber risk and helping businesses fully grasp what a cyber product offers. But we are getting better at it."

"If you're somebody who's feeling more exposed to ransomware, it's really important to look at those forensics, business interruption, and extortion payment coverages offered under the first party. So I would say it's really important to understand what coverages are most applicable given your class a business."

"It is important to mention that cyber underwriting extends beyond pure evaluation at the level of security controls. And it includes things like culture resiliency, and stakeholder connectivity, and is your HR team, talking with your legal team and talking with your product dev team in and practicing and promoting good cyber standards."

"I think the best advice that I can give to businesses who are evaluating whether a cyber insurance product is the next step for them is really to work with a specialist broker who understands the risk."

"Given the hard market conditions, meaning that insurers are increasing prices, it's actually increasingly difficult to get cyber insurance protection without those key controls in place."

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338