DISCLAIMER
The commentary is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Furthermore, all commentary is based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors.
Cyber risk and insurance advisor Gregory Eskins sat down with CISOs Connect for a wide-ranging discussion about cyber insurance and developments in the industry.
Personal liability is weighing on Chief Information Security Officers as the SEC becomes more aggressive in demanding individual accountability for corporate cybersecurity practices and disclosures.
Be proactive, says Gregory Eskins, Global Cyber Product Leader and Head of the Global Cyber Insurance Center at New York-based insurance brokerage Marsh.
“There are avenues to ensure that CISOs are personally protected,” Eskins said.
“A starting point is to look at their organization’s directors and officers policy, ensuring that the CISO is included as an Insured within the policy. There may also be an opportunity to secure a personal indemnity, often as a condition of hiring.”
Although cyber policies are entity-based, i.e. designed to primarily protect the organization that purchased the policy, the definition of insured is generally expansive and can include directors and officers, employees, and others. A CISO, as an employee of the organization, would thus generally fall within scope of coverage if there is a covered claim under the cyber policy, he added.
“If a CISO is concerned about their personal exposure or financial ruin, I suggest proactively speaking with legal and the risk team to explore avenues of protection,” Eskins said. “It is reasonable for a CISO to expect to be protected via their organization’s D&O and Cyber policies. To the extent there are gaps – such as CISOs working pro bono outside of their organization or as a contractual consultant, either of which can translate into professional liability exposure– the market is introducing products to fill those gaps.“
In addition, CISOs who are concerned about their physical safety can explore coverage designed to offer physical security stemming from kidnap and ransom.
CISOs have a strong voice when it comes to cyber insurance and they should actively utilize it, Eskins said.
“Because cyber insurance continues to evolve, we recommend that you engage, work with your broker, your insurer, express your perspectives in terms of what you think is working effectively, and especially things you are dissatisfied with,” he said.
“CISOs have gone from often being reluctant participants in the process of underwriting and procuring insurance to being advocates of balancing security investment and risk transfer. The CISO’s perspective is invaluable in helping us shape the market to design more effective coverage and generally understand what we can do better.”
When CISOs, especially those working in critical infrastructure, expressed concerns about the evolution of the war exclusion within cyber policies, including reservations around the scope of those exclusions and how they would be applied, that helped brokers advocate with regulators and insurers in formulating options for them, Eskins said.
Dissatisfaction around the time it takes to resolve business interruption claims is another area where CISOs’ voices are heard, and solutions are being worked on, he said.
Brokers and insurers are also experimenting with ways to reduce underwriting questions after CISOs clearly signaled their frustration about the number, types and overlapping questions, along with the lack of feedback regarding the market’s perspective of their organization’s risk, including how such information is being protected, Eskins said.
“There had been a wide array of potentially overwhelming and overlapping questions. Over time, we gained a deeper understanding of the controls, processes, software and single points of failure that reduce or amplify risk,” he said. “Underwriters are not looking for the perfect risk, but rather strong signals indicating sound controls and hygiene practices, organizational governance and overall resilience.”
“That being said, change is constant,” Eskins added. “Now with generative AI, there are questions about how this technology changes risk, and how to underwrite and price exposure. Currently, we are in a period of calibration.”
Generative AI doesn’t fundamentally change things on the insurance front because there is not yet a new novel risk that emanates from the use of large language models, Eskins said.
“Generative AI reflects an evolution that builds upon existing technology. In comparison, the emergence of the internet ushered in a whole new set of digital exposures and risks. To date, generative AI has amplified existing risks and added nuances that impact underwriting and pricing considerations. If, over time, generative AI converges with other emerging technologies, we may see new categories of risk arise, and almost certainly, a post-quantum cryptographic world would look entirely different.”
Telemetry is another area where CISOs have been expressing their views. Some say they will never permit an insurer to even have read-only access to inside the firewall information, whether on premises or via hyperscalers. Others welcome providing a real-time view provided the incentives are concrete, such as premium discounts that reflect their positive security posture, Eskins said.
“That type of feedback helps us build for the future,” he said.
At this point, telemetry is not something that insurers require, he said. In the short term, insurers will continue to experiment capturing telemetry data from those willing to share. Ultimately, insurers will evaluate if the data has a meaningful impact on risk modelling, what actions positively and negatively impact cyber events, and how to accurately reflect the relative client and portfolio risks through premiums, he said.
“We’re still in the process of validating the hypothesis as to whether telemetry moves the needle in a meaningful way around the understanding of risk and the ability to model and price,” Eskins said.
“That said, we know it does not hurt. I do see this effort gaining momentum, especially as the adoption of cloud environments increases,” he said. “The hyperscalers all have strong security support mechanisms for which organizations can remediate vulnerabilities, update configurations to harden their environments, turn on new security tools, and benchmark themselves against any number of standards. Smaller, resource constrained organizations stand to benefit greatly from such support, and are generally more open to sharing that information in return for pricing reductions.”
Eskins sees cyber insurance moving toward a greater degree of convergence specific to standardizing the less innovative components of a contract to create greater clarity, contract certainty, and consistency pertaining to what’s covered, where appropriate.
“There is fertile ground to improve existing products by reducing complexity relating to risk assessment, coverage and claims. The near future may reflect an evolution rather than a revolution of thinking, with incremental changes being more impactful than the creation of niche products,” he said.
“An important evolution, to my mind, is about solving for the existing pain points, like the long time it takes to sort out business interruption claims, for example.”
For small and medium enterprises, it’s also making sure that the turnkey solutions that embed risk engineering and security services right into the product are understood and appreciated, Eskins said.
“Cyber insurance can be a financial safety net that is subordinate to our brokers and insurers’ shared objective to help make organizations more secure and resilient,” he said.
“It’s critical for them to get back to business quickly because their ability to withstand revenue disruptions typically is a lot less than a large organization, where it’s painful, yet not fatal.”