US public companies are more forthcoming with details regarding their cybersecurity risk profiles – and more transparency regarding cyber-risk and cyber-attacks is expected to drive greater adoption of cyber-insurance as a means of demonstrating better corporate risk management.
“It is becoming a mainstream assumption that insurance carriers can help organizations with cyber-risk management, both in the traditional risk transfer sense and in the broader sense that they can act as neutral arbiters of cybersecurity best practices,” said NSS Labs’ Andrew Braunberg, writing in an analyst brief. “This is readily demonstrated in the recent push by the White House to promote greater insurance carrier participation in the National Institute of Standards and Technology (NIST) effort to create a cybersecurity best practices framework for critical infrastructure providers.”
And indeed, movement in the public sector is bolstering cyber-insurance in other ways beyond the fact that insurance carriers are being pulled into the creation of the NIST cyber security framework. Also raising the insurance profile among security professionals is proposed reform of European Union (EU) data protection laws, which are expected to accelerate cybersecurity insurance adoption in Europe.
Braunberg recommends that enterprises should view cybersecurity insurance as an important component of their overall risk management strategy. “US-based public companies must understand and keep abreast of current SEC expectations for cyber-risk/incident disclosure and, just as importantly, current industry best practice for reporting,” he said. “Enterprises should better leverage information technology (IT) security teams when selecting cyber security insurance and when explaining risk profiles. And insurance carriers should more fully consider and assess the differences among security vendors and products, in particular the differences in overall security readiness that are achievable based on the specific products used for defense.”