Underwriters, InfoSec Officers Must Close Gap on Risk Management

Underwriters, InfoSec Officers Must Close Gap on Risk Management

There is a major disconnect, on a number of levels, between information security officers ready to purchase cyber liability coverage and the insurance brokers and underwriters eager to meet that demand.

That’s the big takeaway from a new study by security think tank The SANS Institute and insurance industry researcher Advisen. SANS/Advisen extensively questioned 203 security professionals and 194 insurance industry executives.

Related podcast: Guess who’s partnering up to build actuarial tables?

The resulting report, titled “Bridging the Insurance/InfoSec Gap,” was commissioned by cyber risk analytics vendor PivotPoint Risk Analytics. It found that only 30 percent of underwriters and 38 percent of infosec respondents felt they speak the same language.

The resultant confusion has reached the point where about two-thirds of the respondents indicated they would welcome assistance from regulators in defining standards and due diligence.

“There’s one set of jargon used in the IT community and a dozen or more sets used at the cyber insurance carriers,” says Dave Wasson, leader of the Cyber Liability Practice at Hays Companies, an insurance broker and risk-management consultancy.

Wasson says that even for someone like him, who reviews insurance policies for a living, the vocabulary differences are making the job very difficult.

“The policies are not structured the same. There’s some shared DNA, but they are very different products from carrier to carrier,” he says.

Two paths to the same goal

SANS analyst Barbara Filkins, primary author of the report, says that in addition to terminology, the survey found major gaps exist in:

  • Assessment frameworks. These are the benchmarks for determining minimal levels of cyber hygiene. The insurance industry favors quantitative over qualitative models. But only 25 percent of infosec respondents employ a detailed quantitative model. Imprecise qualitative analysis is most common in the infosec realm.
  • Communication. Ineffective communication is common between InfoSec professionals, risk managers and insurance companies, and between the underwriters and brokers within the insurance community.
  • A lack of transparency in underwriting criteria has resulted in companies making security systems investments that are not necessarily aligned with making them more insurable, nor resulting in paid benefits in the wake of a cyber attack.

Underwriters and cybersecurity professionals have the same objectives in protecting a company from cyber incidents—but the two sides have developed “parallel paths” instead of talking to each other, says David K. Bradford, co-founder and chief strategy officer at Advisen, who contributed to the report.

“As a result, there’s a fair amount of misunderstanding between the two communities, particularly lack of real in-depth understanding of what insurance covers and how it works from the standpoint of information security,” Bradford says. “There’s something of a Tower of Babel even within the insurance community itself.”

Fundamental differences

Some of the report’s key findings:

  • Only 48 percent of CISOs and others in InfoSec found cyber insurance at least adequate for a data breach
  • While CISOs are the best at understanding risk exposure, only 5 percent have any decision-making power in purchasing coverage
  • The gap in the terminology and risk-assessment framework has created a communication divide not only between the two sides, but also within organizations, between the infosec professionals and the risk managers.
  • The “lack of transparency in the underwriting criteria has resulted in misaligned investments” by insurance buyers into technology and other defenses they think would make them insurable.

Among the fundamental areas of disconnect is the basic definition of risk. Cybersecurity practitioners look at risk in the context of threats and vulnerabilities, and consequently try to eliminate it through technology defenses and policies. Insurers, on the other hand, look at risk through the lens of financial consequences to the organization.

The cybersecurity sector’s approach to defining risk can be limiting, says Stuart Itkin, chief marketing officer at PivotPoint Risk Analytics.

“Looking at threats is important, but it doesn’t answer what the exposure is,” Itkin says. “We need to be able to look at the financial exposure, or potential losses and consequences of a cyber attack as a common denominator of the measure of risk.”

Emerging cyber field

One major challenge stems from information security being a relatively nascent field. The insurance industry favors quantitative data. And typically, insurance rates are based on decades, or even centuries, of historic data. Cyber insurance losses and claims, however, only go back maybe a decade or so.

“In the InfoSec world, a lot of what people can provide is qualitative in nature because there aren’t any hard numbers to show,” says SANS analyst Filkins.

The lack of quantitative data leads to inconsistency in how underwriters approach exposure—and “the information security professionals and the brokers are in the same boat,” Filkins says.

Unlike other insurance fields, cyber is very dynamic because the threats—and the consequences—are continuously evolving. But the underwriting process itself is static, showing only a snapshot, says Ben Beeson, senior vice president of Cyber Risk Practice at insurance brokerage Lockton.

Not only that, he says, but underwriters don’t understand how specific controls used by a company “move the needle on the risk exposure relative to the threat environment that the company operates in.”

“The underwriting process for cyber insurance is broken,” he says.

Common framework needed

That makes cyber insurance difficult to navigate for CISOs like John Sapp. When he joined Orthofix, an orthopedic products supplier, Sapp almost immediately got pulled into the conversation about policy renewal. He says it’s confusing to understand what’s covered, why things are being excluded, and even how to complete a claim.

Sapp, like many others, would like to see a standardized method for assessing an organization’s risk.

“That is why we need a framework. It doesn’t matter which one—just pick one,” he says. “Then you can better quantify how you’re identifying the level of risk and articulate how you’re reducing that risk.”

The framework, however, has been the subject of much debate among the estimated more than 60 cyber risk underwriters.

“There’s a certain lack of transparency upfront and lack of consistency in standards … so it’s a frustrating situation for the information security professionals and insurance buyers,” Bradford says.

Despite all the challenges that come with an emerging market, Itkin says things are working “fairly well” and moving in the right direction. Not only are insurance companies looking for new technology tools to satisfy their search for quantitative analysis, but there’s more dialogue between the two sides, Bradford says.

“Everybody’s objective is to create better cyber insurance outcomes,” he says.

Rodika Tollefson writes for, where this article originally posted.