Skip to content ↓ | Skip to navigation ↓

In my last post, I talked about the linkage between an application for business liability insurance our CFO asked me to complete and the SANS 20 Critical Security Controls.

This week, I wanted to dig a little deeper and get a better understanding of how the insurance provider would use the responses to the application to make decisions about insurability and cost, so I called Ryan Cox, Vice President and Risk Management Consultant with USI, and had an interesting conversation with him that I wanted to share with you.

According to Ryan, the insurance provider looks at several factors to determine 1) whether or not they’ll even offer coverage to your company, and if so, 2) what that coverage will cost your company for a given level of coverage. Two of those factors stood out for me as being key determinants.

First, they consider the level of business risk the company is facing: whether you’re in a high or low risk industry from a cybersecurity perspective. A few things drive that assessment. What type of data do you store and how much of it?

Fundamentally, they need to reach a determination as to how attractive you are to a potential hacker and how motivated that hacker might be to hack you!

For example, if you store a material amount of PII or HIPAA-protected data, that will impact the provider’s willingness to provide coverage. If you’re in the business of providing reloadable debit cards, you are a target. No surprise there!

Second, they need to assess how good a job you’re doing – or not doing – of protecting that data and responding to that cybersecurity risk. This is obviously where the responses to the questionnaire – and the SANS 20 – come into play. Have you implemented best practices from an IT security standpoint to protect your organization?

I’ve combined these two factors to create the 2×2 matrix you see here. If the insurance provider believes you represent a very attractive target and haven’t responded to that heightened level of risk with the appropriate security controls (top left corner), there’s a good chance they won’t provide you with insurance coverage or, if they do, the premium will be extremely high.

However, you may have a competitor who faces the same level of business risk, but has done a much better job of responding to that risk through appropriate security controls (top right corner). While their premium may be high relative to a company in the bottom right corner, it will be lower than yours and, perhaps more important, they will have access to insurance, where you do not.

I did ask Ryan to characterize the value of “strong security controls” vs. “weak security controls,” using the questionnaire as the yardstick for that measure – contrast the premium for a company in the top left vs. a company in the top right of the matrix.

He responded that, all things being equal, e.g. two companies in the same industry, same size, same amount of data, etc., the company with weak security controls could face a premium as much as 10x higher than the company with strong security controls!

I can’t speak for you, but no doubt I would get my CEO/CFO’s attention if I offered that as a measurable benefit associated with a proposed security investment!

So, the bottom line for the insurance company is this: are you managing your business security appropriately in light of the level of cyber risk your business faces? I hope the information Ryan and I have provided helps you show your stakeholders how security directly impacts your company’s bottom line, too!


Related Articles:


P.S. Have you met John Powers, supernatural CISO?


Title image courtesy of ShutterStock

10 Ways Tripwire Outperforms Other Cybersecurity Solutions
  • Thank you for an interesting post, John!

    I think there may be some other factors to consider from the CFO’s point of view.

    These might include:

    1)the cost to implement the 20 controls
    2)the estimated effectiveness of the controls once implemented
    3)the applicable regulatory and compliance environment
    4)other mechanisms available to manage risk, including SLA’s, contracts, etc.
    5)the organization’s tolerance and appetite for residual risk

    Given the mix of these factors, it might be more advantageous to implement fewer controls and pay a higher premium for insurance.

    Just playing devil’s advocate –

    Best wishes,

    Patrick Florer
    Risk Centric Security, Inc.
    Dallas, Texas

  • Larry

    It is really an informative article, but I think insurance will be suited for those business which are large in size.

  • Emily

    What a magnificent article about security! By reading this article I have known that how insurance connect security to the business and also we should know about the security of every sector of the business as well. Thanks for this nice allocation.

  • Noah

    It’s that time of year again when my car insurance is up for renewal. I wish at the end of the year you get your money back if you didn’t have any claims. The amount of money I have paid in car insurance over the years is just crazy. What really gets me is when they increase your rates even if you haven’t had any claims.

  • Noah

    Obama doesn’t give a hoot about health care! If the intelligencea in Congress can’t see this they need to pack their bags and head back to Podunk! As long as mr and mrs Obama can rob the rich and put the bucks toward their hundreds of luxurious vacations, they could care less if a poor man has health care if he can find it! It’s all in the big plan. “To destroy a society you have to destroy their money!” Get it!?

  • Andy

    Ha, you did here really superb allocation about insurance and its connecting way with business for security. I hope that through reading out in such allocation everyone will understand this issue quite well. Thanks

  • Temporary P

    Thank you John for your great informative article, and learned a lot about insurance and its relationship with business. It is without a doubt that business that are considered high risk will call for high premiums and vice versa. Thank you and looking forward to your other articles.

  • Andrew Jackson

    Wow thank you so much for sharing your story I will definitely be more careful in the future.

  • Lloyd

    “He responded that, all things being equal, e.g. two companies in the same industry, same size, same amount of data, etc., the company with weak security controls could face a premium as much as 10x higher than the company with strong security controls!”

    Cyber insurance is still a relatively new field.

    Businesses are going to have to include security controls as part every day business now.

    It is not a matter of “if” a business will have a data breach but “when”.

    Tighter security controls + cyber insurance is the answer.

  • Rounak Naskar

    Insurance provides a sense of security for your business.Of course you have to give a healthy premium but at least you can get assured and get a complete peace of mind.

  • swa

    Very nice share man, thanks for this very useful!

    Thanks again

  • It's best to establish clear parameters in your relationship with your insurance provider. You should be clear about what your provider can, and cannot, do for you. Discuss what you require for your business and make sure they are prepared to offer this level of service.

<!-- -->