Cyber insurance the "wild west"
02 Nov 2017
An expert says that while cyber insurance is essential, the current market is one whole mess – there are no benchmarks for the policies, and both buyers and sellers are doing it all wrong.
“Every policy that you’ll read – and I’ve read probably a hundred of them now -- is different,” explained Jeremiah Grossman, chief of security strategy at endpoint security software developer SentinelOne. “There are no standards. It’s a Wild West out there. In many cases, it looks like they took a property or fire insurance policy and substituted fire with computer, and it doesn’t really map that way.”
Grossman also told SearchSecurity that he thinks the wrong people are buying and selling cyber insurance.
“What’s challenging operationally for the entire ecosystem is that the primary buyer of business insurance is the CFO and the risk department that doesn’t know enough about cybersecurity,” he explained. “And it’s being sold to them by an insurance broker who certainly doesn’t know cyber insurance.”
“When it’s a large policy – let’s say it’s over $100 million – there will be a survey that gets funneled down to the CISO that says: ‘Tell me about your IT environment,’ which will not move the premium one way or the other. And that’s the last time a CISO ever touches a cyber insurance policy, predominantly,” Grossman added.
Grossman believes that the CISO should be part of the cyber insurance discussion.
“Where it should be, and where I think things are going to head based on conversations with a lot of CISOs, I think they’re going to take ownership over that insurance piece as the purchase,” he said.
He also suggested that insurers should go with security sales representatives to better sell their insurance products.
“What I think the insurers will do is start hiring security sales representatives and teach them enough insurance to sell to the CISO in that channel,” he explained.
Grossman also underlined that it is far more economical to train security sales reps over insurance brokers to sell policies.
“Because it’s either we train the current brokers in computer security or we train sales reps in security just enough to sell insurance,” he said. “So which one’s the better model?”
Grossman also sees cyber insurance premiums adjusted according to the risk assessment of the client and that evaluators such as consulting firms would be sent in to assess risk on policies of more than a hundred million.
For policies less than a hundred million, Grossman believes that customers should be able to get a quote for a policy by answering three questions.
“First, what industry you are in, because certain industries are more targeted than others,” he said. “Second, how many records you’re storing, because they calculate based on that on how many notifications they’re going to have to do in case of a breach because that’s a hard cost. And third, how much revenue you’re doing, because that speaks to the attractiveness of the victim as a target.”
- Insurance Business