And are stronger formal assessments needed when onboarding insureds?
Almost half of organisations that responded to a fall survey have switched their cyber insurance provider, with only a quarter of respondents having claimed to have been thoroughly vetted by their insurer when coming on board.
Forty eight per cent (48%) of 706 IT and cyber security practitioners surveyed by Recast Software and the Ponemon Institute in 2023 said they had changed their cyber insurance providers, with the main reasons given as:
- Policy cancelation (25%)
- Cost (21%)
- Finding a company that offered better coverage and pricing (18%)
Furthermore, only 25% of participants said they were given a formal assessment by an insurer or broker when they were onboarded.
“Brokers conduct these initial assessments via a questionnaire that is both insightful yet vague,” Will Teevan (pictured), CEO of Recast Software. “It’s really hard to quantify how well an insured is following certain protocols.
“They may say that they patch their OS when an update is available, but is that 100% of the time or only 80%? An insured may also say that they manage 100% of the environment, but are brokers really sure of that?”
Consistent switching, plus a lack of thoroughness in onboarding clients, could create difficulties when trying to understand risk profiles.
“I don’t think it’s a good thing for anybody,” Teevan said. “It doesn’t give anybody a clearer picture of what the actual risk is when you’re constantly changing.”
“I think you will see more programmatic approaches to it from brokers and insurers,” he said. “They will be able to tap into management systems to pull data with the tools they already have, but newer technologies will allow them to access and evaluate an insured’s environment.
“They will be able to see how well their cyber posture is and not just on a questionnaire — I think a broker or insurer’s capabilities will get more and more intense as things get bigger and bigger.”
Businesses are ramping up their cybersecurity posture in-house to stave off threat actors, but in cases this has resulted in a security and system management teams becoming siloed from one another.
“There’s definitely a silo there that needs some breaking down and mutual support,” Teevan said.
Taking a siloed approach could run the risk of establishing a friction between the two rather than promoting a more collaborative ethos.
“The security team has a lot of budget, lots of tools and a lot of clout within the organization,” Teevan said. “But the security team is very focused on alerting and monitoring through penetration testing and sounding the alarm that there’s may be potential vulnerabilities because a CVE (common vulnerability and exposure) has come out.”
Those working in system management and performing more tactical work on correcting or removing these potential breaches are often left without as much budget or resources to act more proactively when a threat comes in.
“There needs to be more emphasis on the more tactical team that’s managing users and devices to be more proactive and give them the tools they need to get ahead of the problem, versus waiting for them to react with the security team,” Teevan said. “The security team is tasked with preventing risk and to create an environment they can help a company dial down risk by being restrictive and not letting things happen.
“And then you’ve got another team, systems management, that’s tasked with enabling the entire organization to get their job done.”
Keep up with the latest news and events
Join our mailing list, it’s free!