Kirsten Bay, CEO and Co-Founder of Cysurance, shared insights on how CISOs should best navigate insurance policy renewal discussions and ensure security goals are better enmeshed with the overall corporate strategy.
One of the key complaints stemming from cyber insurance renewals is the amount of work it takes just to get coverage. Applications are getting bigger, renewal timelines are lengthening, and 30-50 underwriters may be involved in a single policy. Does all that diligence really help a cybersecurity practitioner build a better practice?
While cyber insurance applications should not be used to set internal security policy, insurance carriers’ focus on the financial risks of lax security implementations does help highlight the importance of the security practitioner’s role in the broader business mission. CISOs that are involved beyond the “check-the-box” exercise of a cyber insurance renewal can better support the organization in optimizing budget for insurance, as well as network resilience and ongoing strategy to create more internal efficiencies.
For companies with complex risks – such as financial services – it can take upwards of 2 to 3 months to prepare for a cyber insurance renewal. This can be used as an opportunity by the executive suite to ensure that the IT and security priorities are integrated into the corporate strategy roadmap as enablers of the business – not roadblocks. There are many high-profile cyber attacks that highlight how having silos between cyber risk management and the rest of the business has very poor business and financial outcomes.
What are the ways CISOs should ensure they are not overlooked in the policy renewal process?
Being proactive in the strategy conversation is essential to remaining a key player in the cyber insurance acquisition and renewal process. CISOs should speak business language in addition to security language so that a true partnership can be built in reviewing risks posed to the organization. These risks extend beyond malicious events to business continuity and disaster recovery scenarios, which are also covered in cyber policies. We have seen misalignment between the C-Suite, the IT team, and the security practitioner where the coverages were decided without review by the security team, and this has resulted in cyber claims not being paid or not having sufficient coverage.
While CISOs must be clear on the potential impact of accepting risks to advance business decisions, one also must find a way to ensure that the security team is viewed at the “business prevention unit.”
Let’s use an example of a security team discovering that employees were spinning up their own cloud instances for testing, resulting in shadow IT that posed a significant security risk, as well as unforeseen budget impacts. The solution was to create aggregated test instances that were much more secure and a lower cost. There are many ways for the CISO to create win-win scenarios if approached differently, knowing that there will also be moments where an absolute “no” is the right answer.
How should organizations realign the approach to cyber risk insurance renewals – particularly to better use the budget and enable business growth?
Organizations should use the renewal process to identify both business and security priorities around continuity of operations and protecting information. While there are always competing priorities for resources, the rapid pace of digital transformation enables adjustments in developing a more integrated security model. While much of the infrastructure of the past required retrofitting of security into the growth of an organization, the evolving use of digitalization to drive business efficiencies naturally lends itself to a more comprehensive security plan. The ultimate goal is to leverage our digital footprints to allow for the speed of business, and continuity of operations is critical to that objective.
Kirsten Bay is Co-Founder and CEO of Cysurance, a marketplace providing cyber risk security and insurance products. Kirsten brings over 25 years of experience in risk intelligence, information management, and policy expertise across a variety of sectors. In the last 6 years, Kirsten has been the CEO of big data and cyber security companies, leading the strategy and development of next-generation analytics and attack detection technologies. Throughout her career, Kirsten has been appointed to congressional committees developing cyber policies, initiatives and recommendations for the intelligence community and held executive roles at Cyber adAPT, Attensity Group, and iSIGHT Partners.