Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey

June 2016

The SANS Institute recently released a report that looks into the conceptual gaps that often make it difficult for members of the cyber security and cyber insurance communities to find a common basis on which to develop reasonable standards of security and insurability. It features the results of a study conducted by SANS and Advisen, which was conducted to further quantify and resolve these gaps, making cyber insurance an integral and highly valued part of a comprehensive information security (InfoSec) program. This free, 31-page report is sponsored by PivotPoint Research Analytics.

Establishing Appropriate Levels of Cyber Insurance Coverage

How much influence do (or should) underwriters have over an organization’s InfoSec strategy? Do underwriters and InfoSec professionals largely concur on best practices? Where are the gaps and the sources of friction? Are underwriters and InfoSec professionals speaking the same language when discussing cyber risk? Where are the disconnects? What are the consequences? What can be done to further improve communication, coordination and cooperation? What role should the CISO play in the insurance procurement process? What can be done to ensure that insurance is valued as an integral part of an organization’s overall InfoSec strategy?

These are some of the issues discussed in a joint study conducted by the SANS Institute and Advisen. Their collaborative report highlights the significance of many of these issues and offers insights into a productive path forward for both the InfoSec and cyber insurance communities.

The goal of this collaboration was to provide a deeper understanding of the barriers encountered in establishing appropriate levels of cyber insurance coverage and the impact on the security posture of those organizations.

Only 38 percent of respondents involved in the decision to purchase cyber insurance believe there is a common language of cyber risk between themselves and their insurance representative, and 55 percent say they lack a common language with which to communicate about cyber insurance.