CISOs cut out of cyber-insurance decision making, study suggests

UK cyber-insurance market still in early days

Most large enterprises in the UK still aren't managing risk through dedicated cyber-insurance policies and the few that do buy based on recommendations by legal rather than IT departments, an analysis by non-profit the Corporate Executive Programme (CEP) has found.

Given that cyber-insurance in the UK is still in its early stages, some of the numbers turned up aren't a complete surprise, for instance the fact that 40 percent of US respondents used dedicated cyber-insurance as against only 14 percent for the UK - greater US regulatory demands largely explain this difference.

Overall, 20 percent had dedicated cover, 25 percent self-insured (i.e. set aside money to pay for incidents), and 23 percent felt they had sufficient insurance for eventualities within their insurance general cover. That left a further 20 percent with no insurance at all and 12 percent who weren't sure.

Two questions emerge from this - what were the firms that bought dedicated insurance protecting themselves against and who made the judgement call?

Brand protection and possible loss of business from disruption were cited as important motivations, followed by cleanup costs and privacy and compliance obligations.

How likely an organisation was to be one of those with cyber-insurance in place seemed to depend on how centralised its risk-management function was. Curiously, the centralisers were less likely to have dedicated cyber-insurance (15 percent) than those using a decentralised model (31 percent) with the former preferring self-insurance.

"One possible explanation for this is that, where a centralised function exists, the organisation can look at risk to the whole business from an aggregated point of view. With a decentralised function, the picture is more fragmented," suggested CEP's report authors.

This implies that cyber-insurance take-up isn't necessarily always an entirely rational decision in that it can happen without all the information to hand.

Perhaps the biggest surprise of all was the negligible role of CISOs in buying insurance - not a single one of the sample organisations said this role made the decision to buy or not buy cyber-insurance.

In half of cases the decision was by legal departments, with a further quarter by executive boards or some kind of dedicated risk function team. Often infosec heads didn't even seem to know what insurance was in place at their organisations.

What does this all mean? Probably that cyber-insurance remains a boutique purchase, with many people inside large organisations knowing almost nothing about what cover they do or don't have. When it is used, cyber-insurance is still seen as a piece if financial engineering which means that security heads become peripheral figures.

"If the CISO is not taking part in the discussion or the decision about cyber insurance then the organization is bound to over-spend and under-spend on the other pieces of the puzzle providing an overall ineffective risk coverage for the organization," commented Amichai Shulman, CTO of security firm Imperva.

The problem was less about which job function was behind the decision to buy cyber-insurance than how it was used should the day come to claim on it.

"For example, if the cyber insurance policy covers certain aspects of the risk, given the existing posture of existing systems - the CISO is better off spending additional funds in the security of new systems (not covered by the policy) rather than existing ones," he said

"Another example, if the costs of investigating a breach are covered by the policy than CISO should limit the funding of projects aimed at making this task more cost effective."

CEP said it believed that the forthcoming EU General Data Protection Regulation (GDPR), due to be finalised by the end of this year, would have some impact on interest in cyber-insurance not least because it is expected to mandate potentially large fines for breaches. However, that remained a long-term influence.

The UK Government has a stated policy of encouraging large and small firms to use cyber-insurance as a way of driving home security best practice.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityIT Business

More about EUImperva

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts