How the increasing demand for cyber insurance is changing the role of the CISO

Demand for cyber insurance is up, and market observers expect the number of standalone cyber insurance policies will continue to rise. German multinational insurance company Munich Re has valued the global cyber insurance market at $14 billion in 2023 and estimated that it will hit $20 billion-plus in 2025 and exceed $29 billion in 2027.

The rise of standalone cyber insurance, something that has been years in the making, is putting new responsibilities on CISOs as security officers are being asked to evaluate cyber risk and quantify it as part of the insurance selection process.

They’re being asked to help determine the appropriate levels of coverage based on that evaluation and quantification and they’re having to demonstrate to carriers that their organizations do indeed have specific controls in place that show they’re a good bet for coverage.

“The CISO should have a voice in determining the need for coverage by assessing the potential impact of an incident on the business and working hand in hand with others in the organization to understand the impact from a monetary perspective,” says Rex Booth, CISO of SailPoint, maker of identity and access management systems.

Increasing threats and the evolution of the cyber insurance policy

The Insurance Information Institute cites two main drivers of the rise in standalone cyber insurance: “the ubiquitous threat of data breaches and cyberattacks [and the fact that] insurers have made strides in clarifying policy coverage and exclusions, improving risk managers’ understanding of product value and helping insurers better manage costs and rate stability.”

Another driver is the fact that many organizations now require their business partners to have standalone cyber insurance, says Forrester Research principal analyst Heidi Shey.

“It’s often a condition of doing business today,” Shey says. “The insurance policy is almost like a proxy for readiness, response and resilience in some ways, because companies need to meet a certain level [of security controls] to qualify for a good policy.”

There is, too, the fact that in this digital era business risk and cyber risk are now one in the same. “Everyone is all interconnected, so much is digital and online, so business risk is cyber risk,” she adds. “And insurance is a means of risk transfer.”

CISOs are best positioned to deal with insurance brokers

Despite CISOs overseeing cybersecurity and the controls meant to blunt cyber risk, they have not historically been the executives who decide whether their organization buys cyber insurance. Instead, CFOs or chief risk officers typically make the call and determine what levels of protection to buy.

However, CISOs are taking on larger roles — as they should — in those discussions and the decision-making process because they’re well-positioned to understand the threat landscape, the types of threats that could impact them, and how each one could impact the organization, says Paul Caron, Head of Cybersecurity, Americas at S-RM, a global corporate intelligence and cyber security consultancy.

Generally speaking, CISOs are also best positioned to share the organization’s cybersecurity strategy and details of its security controls with insurance brokers or carriers, Caron says. “CISOs are the ones who can best tell their story.”

And CISOs are best positioned to review the resources that a selected insurance company would possess to respond to an event and whether those resources would be the best choices. “CISOs should be part of the process to say who they want to bring to the fight,” Caron says. “They should be involved so they can understand how the insurance company would support them in an actual incident so they can get have a frictionless response.”

Cyber insurance coverage still varies between organizations

Most organizations do not yet have a standalone cyber insurance policy but instead rely on cyber coverage as part of other insurance products. Research further shows varying levels of coverage.

The State of Cybersecurity 2024 survey report from ISACA, an international professional association focused on IT governance, found that

• 10% of respondents said their enterprise has first-party cyber insurance, which generally covers the costs associated with investigating and responding to cyber events as well as the financial impact on business operations;
• 16% reported that their enterprise has only third-party cyber liability insurance, which addresses financial indemnity to the enterprise for claims of damages resulting from a cyber event;
• 15% indicated that their enterprise has first-party and third-party cyber insurance; and
• 14% said their enterprises did not carry cyber insurance.

Just as telling, perhaps, is the fact that almost half of the survey respondents did not know what kind of cyber insurance their enterprise carries.

Meanwhile, Forrester’s 2023 Security Survey found that 83% of enterprise security technology decision-makers had cyber insurance coverage.

However, as Forrester delved deeper into the coverage, it found that only 26% of enterprise respondents reported having a standalone cyber insurance policy. Another 32% had cyber coverage through an endorsement on another business insurance policy, and 25% had cyber coverage included within another business insurance policy.

Standalone cyber insurance policies remain the gold standard

Shey calls standalone cyber insurance policies (policies specifically designed to address cyber risks, which organizations purchase for this purpose) “the gold standard. Often when there is a suit, when a claim is denied, it typically involves a more general insurance policy, which has more ambiguous coverage.”

Of course, the coverage offered by standalone policies varies, Shey notes, but it typically covers costs associated with business interruption, incident responses, forensics, and other standard services arising from a cyber event. Some also cover the costs of ransom payments and negotiator fees.

Still, Shey says coverage “can be very carrier- and country/region-specific, and a lot can be negotiated.”

The insurance market has seen several years of volatility, says Andy Moss, a partner in the Insurance Recovery Group in the Litigation Department at law firm Reed Smith. A spike in cyber events in the late 2010s set off a wave of claims, which was followed by pandemic disruptions and headline-making ransomware attacks. As a result, prices for cyber insurance surged and insurers implemented more restrictive policies, Moss says.

That has turned around in 2024. “What I’m seeing is more and more companies coming into the fold and buying cyber insurance,” Moss says, “and those who have insurance are able to maintain their current levels of protection or improve them.”

CISOs say the threat landscape remains the biggest insurance driver

Although the more attractive terms of insurance products are welcome, CISOs themselves say the cyber environment remains the leading reason why their organizations are exploring cyber insurance.

Nick Kathmann, CISO of LogicGate, a risk management and compliance solution provider, cites the threat landscape and the high costs of responding to incidents as the big motivators today.

He also cites as a key reason for the surge in interest the fact that many more companies now require business partners to have cyber insurance, and he notes that investors, too, are making such demands.

Kathmann says a rise in security maturity among small and mid-size organizations is further fueling interest in and purchase of cyber insurance.

“More people are realizing that they’re a target, even if they’re a small organization. They’re seeing the high costs of responses, and they’re seeing that those costs get astronomically high very fast,” he adds.

(The average data breach in 2024 cost for organizations was $4.88 million, up 10% over the 2023 average cost, according to IBM’s Annual Data Breach Report.)

Kathmann adds: “A very large organization with a lot of cash on hand and cash reserves can self-insure. But for anybody that doesn’t have that money, insurance is becoming a requirement very quickly especially, if you want to sell B2B.”

To reduce risk, CISOs need to be an integral part of the insurance process

Sarb Sembhi, a member of the Emerging Trends Working Group at the governance association ISACA and CTO of Virtually Informed Limited, advises CISOs to work as part of a team that includes operations, finance, legal, risk, IT, human resources and communications — as they all have roles in responding to an actual cyber incident.

“If you want to understand the risk and your [required insurance coverage], then get your team together, just as you would when you’re dealing with regulations and compliance, and look at the changing risks and threats, your response plans and determine your policy requirements,” Sembhi says.

Caron says he has seen the consequences of excluding CISOs from insurance discussions and decisions, pointing to one cyber incident response he had worked as an illustrative example. The insurance company had its own list of response resources and limited what it would pay to resources that weren’t on that list.

The CISO had his existing partners, but those partners weren’t on the insurance company’s list and would cost significantly more than the policy would pay. Hashing out the response team and who would pay what took nearly nine hours, significantly delaying response.

Despite such examples, Robert Booker, a former CISO now serving as chief strategy officer at HITRUST, which provides enterprise risk management, information security, and compliance assurances, say CISOs and their security programs may get a boost from the pursuit and purchase of cyber insurance, as insurers want proof of certain security controls in place and may require the addition of certain policies and procedures to improve resiliency.

“Insurance companies have a rigorous process to validate that the controls companies say they have and are actually there and in effect,” he says. Moreover, he notes that some insurers offer services, such as assistance with tabletop exercises, that can strengthen an insured’s security posture.