SANS and Advisen join forces and bring together InfoSec and insurance worlds for the first time to shed light on gaps in the growing cyber insurance market, sponsored by PivotPoint Risk Analytics
Baltimore, MD, Bethesda, MD and NYC — June 21, 2016 — PivotPoint Risk Analytics, SANS and Advisen announced today the results of an industy-first joint survey that shows while cyber insurance is a young and rapidly evolving product — which can leave organizations with an uncertain sense of protection — there is a set of gaps that can be bridged to help cyber insurance mature faster and be seen as a more effective risk transfer vehicle. The unique data delivered in this survey represents the first time the respected information security research and insurance data and analytics firms have joined forces to bring the InfoSec and insurance worlds together to shed light on the gaps in this critical yet confusing market, currently projected to double in premiums by 2020.
Organizations of all sizes are rushing to adopt cyber insurance, a trend accelerated by SEC guidance to executive management and boards of directors of public companies. Yet in one of the key findings of the survey, only 48% of the CISOs and other information security (InfoSec) professionals surveyed find cyber insurance at least “adequate” when addressing the consequence of a data breach. InfoSec is often insuring the wrong things and uncertain as to what is and is not covered by their policies; insurers are uncertain of the risk they are accepting when writing a policy. The reason for this disconnect? Only 30% of underwriters and 38% of InfoSec respondents believe they even speak the same language.
“Senior executives are now insisting on cyber insurance protection. As a result many CISOs and other InfoSec professionals are interacting with underwriters for the first time. CISOs, and even the risk managers charged with buying insurance, often do not fully understand what is covered by their cyber insurance policies,” said David K. Bradford, co-founder and chief strategy officer, Advisen Ltd.
In one example, P.F. Chang’s recovered $1.7 million from its insurer for post-breach expenses and defense of a class action suit following a 2014 breach. But what the company did not recover, and what was the source of a lawsuit against its insurer, was its reimbursement to its credit card processor for a $1.9 million PCI DSS assessment. “Situations like this might be avoided by better communication and coordination between InfoSec professionals and underwriters before a policy is bound,” added Bradford.
Titled “Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey” and representing 203 InfoSec respondents and 195 insurer and broker respondents, the research specifically uncovered the potential sources of friction and gaps between the InfoSec and insurance communities:
Other key survey findings include:
Barbara Filkins, SANS Analyst and author of the survey says:
By uncovering these gaps, this report identifies the building blocks necessary to work together effectively, making cyber insurance a valuable component of an organization’s information security program and a sustainable industry.
The results of the “Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey” will be presented Tuesday, June 21st, 2016 at 1:00 PM (13:00:00 EDT/US Eastern). To register visit: https://www.sans.org/webcasts/bridging-insurance-infosec-gap-2016-cyber-insurance-survey-101900
To download the full report and for more information on methodology and scope visit: https://www.sans.org/reading-room/whitepapers/analyst/bridging-insurance-infosec-gap-2016-cyber-insurance-survey-37062
About SANS Institute
The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 50 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates employee qualifications via 30 hands-on, technical certifications in information security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master’s degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet’s early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (www.SANS.org)
Advisen is leading the way to smarter and more efficient risk and insurance communities. Through its information, analytics, ACORD messaging gateway, news, research, and events, Advisen reaches more than 150,000 commercial insurance and risk professionals at 8,000 organizations worldwide. The company was founded in 2000 and is headquartered in New York City, with offices in the US and the UK. Visit www.advisenltd.com to learn more.
About PivotPoint Risk Analytics
PivotPoint is the leading provider of cyber risk analytics that measure Cyber Value-At-Risk. In a world where conventional wisdom says you will get hacked, you bought one of everything to try to thwart the attack and protect your crown jewels. And as the threat—and business evolves—so does your cyber risk. Our customers, on any given day, can prove they have lowered the company’s cyber risk to secure the value of their business. Visit PivotPoint at www.pivotpointra.com, Twitter or LinkedIn.
PivotPoint Risk Analytics Advisen SANS
Leslie Kesselring Charlene Farside Kevin Fogarty
503-358-1012 302-861-6917 978-443-9055