How do cyber insurer's assess cyber risk?

June 16, 2014, Andrew Barratt, Managing Director, Europe

Last week I presented on risk transfer as a viable risk management option to compliance and security professionals at the Financial Crime Compliance Professionals Conference in London.

As mentioned in one of Rick’s earlier blog entries analyzing the Target kill chain, the communication between business professionals in finance and IT is still out of alignment and this was evident again from comments made by the community.

My presentation focused on the way in which Cyber underwriters are assessing the risks from their assured base and the type of professional assistance they get from Coalfire in order to achieve their goals.     

Scott Sayer, European Underwriting Director at CNA Underwriting and I discussed with members of the conference the benefits and challenges of a Cyber market that doesn’t have standardized policies.  Standardizing policy allows for a more consistent approach in the market Scott suggested, but acknowledged that the variety of cover in the market allows different underwriters the ability to accept different types of risk giving customers a lot of variety in type of insurance they buy.

A fairly key point in my presentation was - If your underwriter is asking you to disclose very little information as to the effectiveness of your internal security controls, how, can you be sure they fully understand the risk you are transferring to them and therefore the validity of your cover.  A number of leading underwriters have vastly increased the level and type of risk assessment they do.  This has led to cyber policies that cover anything from physical damage right the way to privacy breaches and the associated disclosure costs in the US.

One of the biggest misconceptions of the day is that Cyber insurers do not want to pay out in the event of incidents, in fact, this is simply not the case.  They do however need to keep a balance in their portfolio so that they are not paying out all the time! Many of the significant data breaches reported in the media recently have benefitted from some form of Cyber cover whether this has been to assist with forensic investigation costs or to help cover substantial fraud losses.

Andrew Barratt


Andrew Barratt — Managing Director, Europe

Recent Posts

Post Topics