By GRC & Fraud Software Journal
Mike Shultz, CEO of Cybernance, recently spoke about the road ahead for cyber insurance, which companies purchase to protect themselves against loss of income and reputation when hackers steal company data or commit other cyber crime.
Shultz is an expert in cyber risk governance and helps companies comply with National Institutes of Standards and Technology (NIST), the SAFETY Act, HIPPA, Federal Financial Institutions Examination Council (FFIEC), and International Standards Organization (ISO) for better risk mitigation and protection from liability in the event of a breach.
Shultz says insurance firms have realized they don’t have enough actuarial data to fine-tune the right amount of coverage and associated premiums to meet the new demand for coverage.
Also, cybersecurity vendors and cyber insurance firms can’t find common ground to develop reasonable standards of security and insurability, perpetuating inconsistency and ineffectiveness. This comes as no surprise to folks in the industry – but where do cyber insurers go from here?
Shultz says the cyber insurance industry has been shaped by these 5 developments:
1. A high frequency of breaches and significant losses that have driven rapid growth and interest in cyber insurance.
2. Cyber technology that has evolved and become an advanced method for preventing and detecting breaches.
3. Standards such as NIST’s Cybersecurity Framework were developed by the government to lay a foundation of cybersecurity parameters.
4. Insurance began to differentiate by industry (as in other insurance settings) to set cyber insurance rates.
5. The National Association of Insurance Commissioners’ proposition of legislation to begin regulating cyber insurance.
Here’s what to expect of the cyber insurance community in 2017:
1. Finer-grained rate setting based on demographics and data about internal defenses. This means companies will need to implement and maintain better cyber risk governance in order to become and stay covered in the event of a cyber breach.
2. Insurance companies will exert their influence over cyber risk to a more significant degree. No longer will they allow enrollees to drive as much of the conversation.
3. Compliance networks (like NIST, HIPPA, FFIEC, ISO, etc.) must be applied consistently to inspect internal defenses as a way of rationalizing different rates. Compliance with all of these standards will be required for coverage and varying rates, and organizations will need the right tools and technology to keep track of those needs and requirements.
4. Rates will then be set consistently based on those levels of defense. To get a better rate, companies will need to maintain regular compliance and proper defense as insurance firms get up-to-speed on what a truly cyber aware and responsible organization looks like.
Contact Mike Shultz at Cybernance.