Vincent Weaver, Chief Technology Officer at Corvus Insurance.
Organizations in nearly every industry deal with cyber risks on a daily basis, and the complexity of attacks is only increasing. As attack vectors evolve and risks increase, organizations need to find the best Both Cybersecurity and cybersecurity are growing hand in hand. It is essential for business leaders to understand these distinct areas of investment and how merging the two has led to opportunities to make smarter investments.
Cyber Security Vs. (Traditional) Electronic Insurance
Although cyber insurance and cyber security in general focus on keeping organizations afloat in the face of cyber incidents, the reasons behind implementation have historically differed.
In essence, cyber insurance protects an organization from Financial issues Losses after a cyber attack. As a result, the procurement and execution process has usually been handled at the executive level by the risk manager or financial leader who manages the rest of the organization’s insurance portfolio. It was traditionally treated, like most insurance, as a negative hedge.
cyber securityAnd the Meanwhile, it focuses on protecting data, software, and hardware, keeping threat actors away from the business. Security is handled by people – chief information security officer (CISO), chief information technology officer or lower-level IT manager – who live in a world focused on emerging threats, evolving solutions and technology trends. For them, financial loss is a second-rate problem – a potential consequence of failure, yes, but it is not their primary concern. Instead of hedging, it’s an active and constant battle.
These divergent views have meant that cybersecurity and cybersecurity have traditionally been two separate propositions. Almost everything InfoSec or IT leaders do in the service of improving cybersecurity, from following the guidelines of cybersecurity frameworks such as Nest To adopt the latest endpoint detection and response (EDR) solutions, resulting in a stronger security posture and lower risks. But these goals may not historically have been factors in insurance conversation at all.
That’s because underwriting electronic insurance has traditionally been treated like other commercial insurance lines. The focus was on capturing potential losses (“How many customer records do you have that would be subject to regulatory fines if disclosed?”) and identifying industry-wide and revenue segments that fit the organization. In the past, sophisticated cybersecurity software would have impressed the underwriter enough that they viewed the app with a favorable eye, but in the end, the things that drove up prices were beyond CISO’s control. You can see why electronic insurance was initially met with a healthy dose of skepticism by many security practitioners.
Convergence: Understanding Intersection
The good news is that e-insurers have adapted. Years ago, startup InsurTech that offers electronic policies developed automated security assessment tools for underwriting and began offering additional services such as detailed risk reports for policyholders. It wasn’t until recently that we witnessed the true power of these tools and the data they collect. What were once seen as gentle benefits are becoming critical to the future of the market.
The inflection point came after a rise in ransomware attacks, when some in the cyber insurance industry made a deliberate shift in their approaches. In addition to charging rates that better reflect the real risks covered, electronic insurance companies are also beginning to include new requirements that are critically backed by data demonstrating their impact on cyber risks. InsurTechs analyzed its data sets to identify security factors – such as specific email security tools or software patch consistency – that have a measurable impact on risk and incorporated them into policy topics.
This InsurTech-driven approach has increased the convergence of cybersecurity and cybersecurity. Whereas before the CISO was simply required to fill out a lengthy questionnaire about their IT system, they are now likely to take an advisory role in validating the insurance company’s risk assessment and invite them to work with the insurance company or broker to implement the required updates to the policy. In many cases, we’ve seen that the newer requirements are changes that the security chief struggled to get through early on.
This alignment between the goals of the cybersecurity team and the needs of insurance buyers has successfully brought two worlds together.
Of course, there is a limit to the convergence that we have discussed. The fact is that in the eyes of the insurance company, not every security control will affect the level of risk of the company. Factors such as annual revenue and industry still contribute significantly to the underwriting and will continue to do so. But as the needs of cybersecurity and cybersecurity continue to mature and merge, organizations will only be incentivized to make investments that support cyber resilience in general. Leaders will realize that even if the policy is secured for the year, continued efforts to stay ahead of the curve on cybersecurity will leave them in a better position on rates and terms when renewing the policy—a virtuous cycle.
Most importantly, organizations and their security personnel are not required to do this alone. The same insurers that use data to drive policy innovation are also offering increasingly sophisticated services and partnership opportunities to help their policyholders reach compliance – and go beyond minimum requirements to achieve best practices. This is where we see the convergence in fullest: a security leader who works with an insurance company and its partners to advance their security goals knowing that they will gain favorable policy terms as a result. The boastful and elusive win.
Even with the potential for win-win situation now, in today’s undeniably tough market, frustrations can still be compounded when trying to acquire and renew policies. In a future post, I’ll delve into the challenges we still face and what the next generation InsurTech world might look like.