5 tips on how leaders can manage risk with cyber-insurance
Head of Business Risk & Insurance, Google Cloud
Almost all countries require car insurance to help manage the risks of driving. Far more complicated, but just as important to today’s businesses, is incorporating cyber insurance into a holistic, cross-functional risk management program.
Cyber insurance can help organizations recover from cybersecurity-related disruptions to their business caused by data breaches, ransomware, and other types of cyberattacks. When organizations have cyber insurance in place, the insurer indemnifies them against losses, including incident response and remediation services, business interruption costs, and third-party liabilities.
The chief financial officer, general counsel, and the chief information officer, in partnership with their security teams, play vital roles in managing their organization’s cyber risk. They decide which cyber risks to accept, which to remediate, and which to avoid. One way they can better manage their organization’s risk profile is with cyber insurance, but buying cyber insurance can be a complicated process.
The challenges stem from the process being cross-functional and iterative. When evaluating the cyber risk of your organization, most organizations will identify gaps or shortcomings in security controls, supply chain risk, or even incident response plans. As much as possible, organizations should remediate such findings before applying for coverage because preemptive actions can protect your organization and help it receive the best coverage and lowest premium possible, just like having a safe driving record.
Since this process can be time consuming and iterative, it’s important to allocate time and money properly. From the moment an organization starts planning for cyber insurance to when your cyber insurance policy is finally in place can take six months — or even longer when including time to remediate risks.
One way to better manage your organization’s risk profile is with cyber insurance, but buying cyber insurance can be a complicated process.
Below are five steps on how to navigate purchasing cyber insurance. The goal is to develop a smooth, repeatable purchasing process that effectively demonstrates the investments your organization has made in cybersecurity.
1. Understand and quantify your risk: You can’t decide how much risk to retain or transfer without first understanding it. It can be a difficult and time-consuming process to identify your assets, risk landscape, and understand the potential for loss.
One way to overcome these challenges is through combining the capabilities of your cybersecurity team with your insurance and data science teams. If you don’t have a team of actuaries available, either in-house or through your insurance broker, leveraging the FAIR Model can be a more accessible way to work through a risk-quantification exercise for your organization.
Cyber risk quantification is still at its early stages, so don’t get hung up on landing a perfect answer. The process of building out even a simple model and thinking about risk quantification can be very helpful as a first step when evaluating how much risk you want to transfer or retain.
2. Define your risk appetite: Once you have an understanding of your risk in financial terms, think about your risk appetite as an organization. Working with your leadership team, define the amount of coverage your organization needs, based on how much financial volatility the organization is willing to tolerate. Insurance brokers can help with recommendations, market comparisons, and benchmarks so organizations aren’t alone in this process.
The goal is to choose the level of insurance that’s right for your organization. While you don’t want to be over-insured and pay hefty premiums that your organization doesn’t value, you certainly don’t want to be under-insured in the event of an unexpected cyber event.
3. Apply for coverage: The next step is to work with your broker to apply for coverage. During this phase, your organization will need to be ready to answer detailed risk questions and present a coherent security, resilience, and privacy strategy to insurance underwriters.
The current application experience can be time consuming, with many questions about an organization’s information security program and controls that may not intuitively correlate with risk. While the insurance industry is working to improve this process and add more nuance to their questions, Google Cloud can help organizations more quickly understand their cyber risk and communicate that risk to insurers.
In addition to focusing on important security controls, insurers often will want to know about the organization’s business continuity and incident response plans, information on the endpoint detection and response capabilities, and which cloud service providers the company depends on. They also want to know how the organization evaluates and manages third-party vendors that handle sensitive data.
Cyber insurance policies typically cover an entire company's cyber footprint, including whether the risk originates from endpoints, on-premises environments, or cloud providers. This is why insurers may ask a variety of questions that span beyond a list of internal controls.
4. Continuously improve your security program: Cyber insurance providers should be seen as a helpful partner to drive security improvements. In the short-term, we can see this in action when underwriting questions reveal previously-unknown shortcomings which can then be quickly remediated. Over time, the continuous feedback loop between risk and security controls can provide even more value to an organization.
While it may take time for the insurance industry as a whole to get here, we believe in an end state where the process of purchasing insurance will validate the time and money invested in security. This can start with a quick assessment built into existing security tools and processes, as seen in our Risk Protection Program. Over time, we anticipate insurers will want to take this one step further by requiring active risk monitoring and providing feedback on how to reduce risk by taking a broad, industry-wide approach that includes many customers.
Because cyber risk is constantly changing, the insurance market isn’t yet fully able to meet the coverage needs of organizations — as seen by the recent focus on war exclusions and limitations on systemic risk. It’s also a more recent and less mature area of risk, so insurers are still identifying how to obtain, incorporate, and utilize the metrics that are most highly correlated with risk.
Nevertheless, there has been enough customer-broker feedback in today’s current insurance purchasing process that insurers can require certain products or controls before moving forward with providing the coverage. This step is highlighted to ensure you take advantage of that feedback loop from insurers, make the changes necessary to reduce risk, and improve your security posture during your insurance renewal. Ultimately, this can help you access better coverage.
Over time, the continuous feedback loop between risk and security controls can provide even more value to an organization.
5. Read your policy (more than once): Typically, your broker will present you with a number of different policies to choose from with different terms. Each policy may vary in terms of the deductibles, insurance limits, or policy terms. Make sure someone in your insurance or legal department reads the policy in detail and ask your broker or insurance representatives to walk through the exclusions with your team ahead of time. As cyber risk continues to involve, so do the terms of the policies. You don’t want to be surprised in the event that you’ll need to call upon the policy for coverage.
Invest upfront in security and use cyber insurance as validation
Cyber insurance can be utilized as a way to validate an organization’s investment in security. If you invest time upfront to deploy critical controls to mitigate your cyber risk and become more secure, you can expect to pay less for cyber coverage. If you don’t have sufficient security controls in place, there’s a good chance you may not qualify for a policy. Even if you do, your premiums may be too high or your coverage too narrow to cover your risks.
Security challenges can be notoriously complex, and cyber risk management is no different. Taking a critical look at how you’re protecting your IT infrastructure and identifying and remediating gaps can be time-consuming. Security leaders should give themselves plenty of time to assess their risks, address controls, and devise a robust risk management strategy that smooths the way for obtaining cyber insurance coverage that works for them.
Learn more here about Google Cloud’s Risk Protection Program, which helps Google Cloud customers acquire cyber insurance.