September Risk Roundup: The debate — does cyber insurance make companies less secure?

by Shawn Ram.
The Risk Roundup is our weekly collection of curated content that relates to all things digital risk management. Members of the Coalition team have pulled together their favorite posts from the week that highlight relevant trends in cybersecurity and cyber insurance. Enjoy our TL;DR and useful snippets on topics we’re keeping a close eye on.

News broke this week (again) that allegedly cyber insurance does not prevent cyber attacks, and instead increases risk. It’s no secret that Coalition doesn’t agree with this sentiment. It’s true that insurance carriers often do not focus on preventing cyber attacks in the first place — and that’s what’s led to the hardening market we currently face. Coalition has always evaluated an organization’s cybersecurity posture before deciding whether or not we’ll provide coverage. Not only that, but we also continuously scan our insureds for security vulnerabilities and notify them if anything needs to be addressed. There’s a need for standards for the insurance market as a whole, yes, but rest assured: we’ve been two steps ahead.

1. Cyber insurance may not be making companies more secure

This article misses the point about the role that cyber insurance can play in managing cyber risk. Cyber insurance providers have a direct financial incentive to protect insured clients and prevent financial loss, and therefore can offer the correct incentives to policyholders to implement protective actions and controls. They also are able to provide financial recovery to the organizations that need it most, serving as a financial backstop to prevent catastrophic loss. What makes Coalition different from other carriers is that we have the data to understand what poor security controls lead to financial losses following a cybersecurity incident. We have an entirely different approach to cyber risk assessment, leveraging public web scanning, dark web scanning, and proactive threat intelligence to enable faster and more accurate underwriting. We incentivize policyholders to implement good cybersecurity controls and preventative measures, preventing incidents wherever possible. Insurance companies have a unique opportunity to help their policyholders address and mitigate their cyber risk. We’re excited to set the standard for how well protected our policyholders must be to receive cyber insurance. Shawn Ram, Head of Insurance

View tweet here

2. Writing cyber is key to survival

When the world’s largest reinsurer speaks, we should probably listen. Cyber risk isn’t going away, so why should cyber insurance? As cyber insurance carriers, we have a broad reach and a duty to the general public. So let’s all strive for better cyber hygiene, better risk management practices, and support the broader public by offering more tools to combat cyber risk. We’re in this together.Miki Ho, Business Development

View tweet here

3. IT teams have felt 'forced' to trade security for business operations

I believe this number is likely closer to 100%. It’s an IT leader’s job to enable business first and then handle risk mitigation second. Sometimes bad trades are made, but there are ways to be covered properly. IT leaders should frame it this way: “I can do that, but that exposes us to risk X. Is that acceptable to you?” Scott Walsh, Senior Engineer

View tweet here

If you enjoyed this post be sure to check our blog weekly; the Risk Roundup runs Friday mornings in addition to more enlightening content we post related to the ever-evolving landscape of digital risk. Follow us on Twitter (@SolveCyberRisk), LinkedIn (Coalition Inc), and Youtube. If you have any suggestions for content that we should be adding to our reading list, let us know!