The combination of risk mitigation, risk transfer and incident response services that cyber liability insurance companies offer can help reduce cyber exposures, a pair of cyber experts said.
But policyholders may not be able to access all available services, so insurers should work to become more aligned with their cyber customers, they said during a session Tuesday at Riskworld, the Risk & Insurance Management Society Inc.’s annual conference in Atlanta.
Insurers can force organizations to adopt specific cyber risk mitigation strategies as a condition of coverage, said Brett Tucker, technical director of cyber risk management at Carnegie Mellon University’s Software Engineering Institute in Pittsburgh.
7;s an idea that you share best practices and make sure people stay up to date with the latest technology,” he said.Cyber insurers have a responsibility to drive cyber security standards higher and have the ability to reward preparation and punish failure to address the risks, said Benjamin Bertossi, New York-based cyber product specialist at Chubb Ltd.
“There should always be a common goal of cyber resilience between an insured and an insurer, and there should be an understanding that preventative measures and proper loss mitigation are what lead to the most effective risk transfer for your organization,” he said.
Cyber insurance companies offer security and breach response services to policyholders, but buyers may not understand the scope of the services offered, Tucker said.
Insurers should ensure they are on the list of organizations policyholders call when they learn of a breach, so they can use the services they provide to reduce their own exposure as well as that of their customers, he said.
To ensure cybersecurity is embedded in their organizations, chief information officers and chief information security officers should have regular meetings with other C-suite-level executives, Bertossi said.
“Cyber risk should at least be a topic of discussion every quarter, not just one that occurs at the time of your insurance program renewal,” he said.
Cyber policyholders are seeing some positive trends, Bertossi said. For example, in the last quarter, most demands in ransomware attacks have been negotiated down to 30% to 40% of the original demand, he said.