The history of cyber security insurance policies in the United States began in the late 1990s. Some were policies that covered online media, while others were errors in data processing (EDM) policies.

In the last five years, cyber insurance has evolved to become a booming market helping a growing number of enterprises offset the financial costs associated with data breaches and cyberattacks, and it has spawned an increasing number of competing insurance carriers that are offering incredibly cheap policies. Surprisingly,  there are hidden exclusions and conditions within these policies.

Central to this is that insurance carriers often dictate how Incident Response (IR) will be conducted, and which IR vendors will be called in to conduct the investigations and clean-up efforts pursuant to a breach. In many instances, if the IR plan is not followed to the letter, then coverage can be nullified.

A recent article in examined the challenge of IR for companies filing claims following an attack or breach. A typical scenario is the company informing its insurance carrier of the incident; the carrier then determines that the company’s IR process does not comply with policy guidelines facilitating the need to bring in a pre-approved IR vendor for clean-up efforts and forensic investigations. The approved IR vendor ends up becoming the primary decision-maker for the company, rather than their own IR team, and the process can delay reaction time and increase costs. This dynamic of insurance carriers dictating how cyber attacks are handled for their clients has security experts concerned.

Cyber Insurance is just one byproduct of a much bigger issue – the rise of Digital Risk Management – particularly for large organizations seeking to prioritize and quantify risk as it relates to their business.

We at the Digital Risk Management (DRM) Institute have been following the cyber insurance industry for years and know that insurance companies are very aware of the value of the DRM. We have published a DRM framework with well-defined processes for streamlined IR that ensures compliance with insurance company policies eliminating the need for a different IR vendor. 

We have been advocating new forms of Digital Risk Management that can identity vulnerabilities and even qualify and quantify risk on a holistic basis before cyber insurance is even considered. There are innovative new technologies — such as the Software Defined Perimeter — that has already proven successful for protecting critical data and infrastructures in large organizations. Only through a thorough understanding of your digital risk profile can you reduce the risk and leverage adequate cyber insurance.

Ultimately, for the insurance provider, it’s about much more than just having critical IR controls in place. From their perspective, it is about a commitment to a Digital Risk Management program with organizational buy-in that enables an organization to understand cybersecurity and risk from a business perspective. Digital Risk Management requires an understanding an organizations digital risk profile and the ability to leverage,  model, and monitor relationships between cyber security, critical infrastructure and physical controls, among other things. The most innovative organizations are already moving down this path and these are the organizations that will get the most attention from insurers as they seek reduced premiums.

To learn more and collaborate with like-minded others join us in the Digital Risk Management Institute.