How do cyber insurer's assess cyber risk?

Andrew Barratt, Managing Director, Europe

Last week I presented on risk transfer as a viable risk management option to compliance and security professionals at the Financial Crime Compliance Professionals Conference in London.

As mentioned in one of Rick’s earlier blog entries analyzing the Target kill chain, the communication between business professionals in finance and IT is still out of alignment and this was evident again from comments made by the community.

My presentation focused on the way in which Cyber underwriters are assessing the risks from their assured base and the type of professional assistance they get from Coalfire in order to achieve their goals.     

Scott Sayer, European Underwriting Director at CNA Underwriting and I discussed with members of the conference the benefits and challenges of a Cyber market that doesn’t have standardized policies.  Standardizing policy allows for a more consistent approach in the market Scott suggested, but acknowledged that the variety of cover in the market allows different underwriters the ability to accept different types of risk giving customers a lot of variety in type of insurance they buy.

A fairly key point in my presentation was - If your underwriter is asking you to disclose very little information as to the effectiveness of your internal security controls, how, can you be sure they fully understand the risk you are transferring to them and therefore the validity of your cover.  A number of leading underwriters have vastly increased the level and type of risk assessment they do.  This has led to cyber policies that cover anything from physical damage right the way to privacy breaches and the associated disclosure costs in the US.

One of the biggest misconceptions of the day is that Cyber insurers do not want to pay out in the event of incidents, in fact, this is simply not the case.  They do however need to keep a balance in their portfolio so that they are not paying out all the time! Many of the significant data breaches reported in the media recently have benefitted from some form of Cyber cover whether this has been to assist with forensic investigation costs or to help cover substantial fraud losses.

Andrew Barratt


Andrew Barratt — Managing Director, Europe

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS