IT Skills and Underwriting: A Winning Combination

Modis Posted 12 April 2016

In October, 2015, the Insurance Information Institute (III) released a white paper entitled “Cyber Risk: Threat and Opportunity," which stated that the number and impact of successful data breaches continues to rise. This is turn is driving increased adoption of cyber insurance in an attempt to reduce risk, with spending in 2014 totaling $2 billion. This is expected to triple by 2020, and premiums will also increase due to the emergence of new threats and technology.

While healthcare, financial and manufacturing industries are among the main adopters, other industries are now following suit, driven by the knowledge that company size or industry will not deter hackers, whether they involve cyber criminals, nation-state attacks or so-called crusaders writing perceived wrongs.

How can companies protect themselves using cyber insurance policies? How are premiums calculated? How is risk determined?

Digital Assets

Insuring property is much easier as tangible, physical assets are involved. This is not the case with cyber insurance, as it encompasses a company's entire digital and technological footprint, which includes data stored.

Granted, physical assets such as storage devices, hard drives et cetera are involved but it is the data that has value. Whether lost, stolen or destroyed, companies rely on data (it may include medical records, intellectual property, financial and billing information and more) and the use of cyber insurance attempts to mitigate potential damages, whether these losses caused by loss of reputation, downtime, legal fees or human error, in some cases.

As with all insurance policies, premiums are based on the levels of perceived risk and in most cases, risks are easily quantified, being based on historical statistics, demographics and other criteria familiar to insurance underwriters. These experts analyze all available information and set an insurance premium, payment and limits, where the insured pays a fixed value of any insurance claims.

Cyber Security Experts

Given that calculating premiums for auto, home, and life insurance involves expert underwriters, consider cyber insurance. Existing experts will have little knowledge of the complexities of IT infrastructures, security standards, and risk potential. Cyber insurance is a relatively new area and, as adoption increases, this creates opportunities in the insurance industry for skilled IT security professionals. There are the individuals necessary to assess, based on tangible experience and qualifications, a company's security posture and provide a score or rating based on the results.

In the same way that a skilled assessor can determine the cause of an auto accident or fire, the duties of assessors in cyber insurance can include but are not limited to:

  • A complete audit of hardware and software to identify any items that require updates.
  • Confirmation of compliance with necessary standards. Financial and healthcare companies have specific standards such as PCI-DSS and HIPAA.
  • Independent testing of security awareness among employees.
  • The identification of potential weaknesses in any aspect of security, from external threats to on-premise security systems and document disposal. This is commonly known as penetration testing or ethical hacking.

giving feedback
Your Responsibility

Since insurance is based on risk, if a company pays little attention to security, insurance companies will either leverage high premiums or refuse to offer a cyber insurance option. The latter is more likely as every company must demonstrate an awareness of security issues according to defined recommendations, whether the NIST Security Framework or other.

It is worth noting that cyber insurance is and will never be a quick fix for a lax attitude to IT security. It is every company's responsibility to protect their digital assets and cyber insurance is a worthy investment to protect against a targeted attack, unexpected service interruption or natural disaster. There is no such thing as 100 percent secure and cyber insurance is not a replacement for robust backup and disaster recovery plans. Similarly, companies that have experienced several data breaches or belong to a high-risk industry will command higher insurance premiums.

The combination of underwriting and technical knowledge necessary to calculate cyber insurance premiums is a challenge for insurance companies, given the disparity of professions. However, there is no denying that those with relevant IT expertise can find a home in the insurance market, and those with added underwriting knowledge are in an even better position as cyber insurance adoption increases.

Contact us today.

Our global experts are ready to help your business. Get in touch with one of our representatives today.

Send message