A recent survey conducted by Heidrick & Struggles, a human resources and management consulting firm, has revealed that more than half of all Chief Information Security Officers (CISOs) report to a technical corporate officer rather than the business side of the organization. This lack of recognition by the board can significantly diminish the CISO’s ability to deliver crucial insights and recommendations pertaining to the business’s cybersecurity. Often, CISOs are burdened with the responsibility of safeguarding the company without having the authority and budget necessary to successfully execute their tasks.
However, there is one business imperative that is gradually driving boards to seek the input of CISOs and increasing their corporate recognition and authority: cyber insurance. Typically, negotiations regarding cyber insurance policies are led by the general counsel, chief financial officer, or chief operations officer. Incorporating the CISO into these discussions is considered a best practice as it ensures that the insurers have a comprehensive understanding of the company’s security controls, the rationale behind their configuration, and the overall cybersecurity strategy. Unfortunately, in many cases, these best practices are overlooked due to issues of expediency and a lack of acceptance by other C-suite executives.
One major advantage of allowing CISOs to directly engage with insurance carriers and brokers is that they gain access to critical threat intelligence that they may not have been aware of previously. Jason Rebholz, CISO at Corvus, a cyber insurance company, states that being part of an insurance company has given him insights into the cybersecurity resources available to insurance customers and the benefits that CISOs can leverage to perform their jobs more effectively. By changing the mindset of CISOs from perceiving insurance carriers as solely financial partners to threat intelligence partners, both parties can benefit. Insurers are able to mitigate risk by leveraging the expertise of educated CISOs, resulting in reduced risk for themselves and their clients.
To fully exploit these opportunities, it is vital for CISOs to engage their insurers in discussions about cyber threats. Tracie Grella, global head of cyber risk insurance at AIG, emphasizes the importance of this partnership, as it enables organizations to improve their overall security posture. Insurance carriers have access to valuable information regarding losses, new trends, and claims across various industries and geographies. Sharing this information with CISOs allows for faster identification of emerging threats and the adoption of proactive security measures.
While larger companies often include CISOs in cyber insurance discussions, smaller and some midsize organizations may not have a corporate CISO position. This puts them at a significant disadvantage, particularly when encountering an insurance claim. Scott Godes, partner and co-chair of the Insurance Recovery and Counseling Practice at Barnes & Thornburg LLP, emphasizes the need for an engaged CISO in these situations. Without a CISO, organizations risk having non-technologists address technical cybersecurity issues, potentially exposing the client to additional risks. To ensure the effective transference of risk through cyber insurance, organizations need a strong CISO who can explain the importance of security issues to the board and effectively engage with insurers and claim adjusters.
Another challenge that organizations face when dealing with cyber insurance applications is the complex and technical nature of the questions. Filling out these applications requires a significant amount of technical expertise, as inaccurate or incomplete responses can result in claim denials or even legal disputes with the insurance carrier. Marc Schein, national co-chair of the Cyber Center of Excellence at Marsh McLennan Agency, stresses the importance of having CISOs, who possess the necessary technical knowledge, actively involved in the application process. This ensures that there are no misrepresentations that could potentially lead to claim denials.
While the cyber insurance market faced significant challenges during the COVID-19 pandemic, the chaos has subsided. CISOs who focus on implementing key cybersecurity controls recommended by Marsh now have the opportunity to negotiate better rates and terms compared to a year ago.
In conclusion, incorporating CISOs into cyber insurance discussions and engagements with insurance carriers and brokers is essential for organizations looking to enhance their cybersecurity posture. By bridging the gap between the technical and business sides of an organization, CISOs can provide valuable insights and recommendations, leading to improved risk mitigation and overall security. Ultimately, this partnership between CISOs and insurance carriers is instrumental in effectively addressing the evolving cyber threat landscape and ensuring the resilience of organizations against potential attacks.