The insurance industry has been making the case to Congress that cyberinsurance can be a path to good security practices, encouraging different groups inside an organization to better communicate with one another. The process of investigating, applying for and being approved for cyberinsurance may indeed prompt important discussions inside organizations about cybersecurity. And it may be a subject that prompts board-level discussion of cyber preparedness. But in our view, relying on cyberinsurance as the spark for those conversations is the tail wagging the dog or the chicken not the egg or the egg not the chicken.
Good cybersecurity preparedness begins with cross-functional communication and coordination: IT-legal-communications/PR-risk management/finance. While cyberinsurance does raise the question of how much risk to offload, there are a broad set of institutional considerations that go far beyond that narrow question. Companies that decide to transfer some risk to an insurer must, at the same time, address squarely the risk that it retains. How robust are its information security governance practices, technical measures, training and response plans? Focus on these subjects goes far beyond insurance and beyond addressing the questions in an insurance application, and building a cybersecurity program based on a cyberinsurance application is a weak foundation for the future. Insurers are struggling to adequately assess risk in this area, and applications typically reflect last-year’s megabreach. Case in point, carriers are asking every company about P2P encryption for credit card processing, regardless of whether they have significant retail operations that accept credit card payments.
Instead, companies must focus on their own risk profile – those risks that present the greatest organizational threat – and build a thoughtful, risk-based program in response. Cyberinsurance may be an important part of that program, but it is not the “chicken” or the “egg.”