Forrester’s 2018 Guide To Cyberinsurance

Today, no one is 100% secure — believing otherwise is hubris of Icarian proportions.

This reality is a core reason why more organizations are turning to cyberinsurance. Because without it in some form (whether it’s a purchased policy or their own allocated cash reserves), they have no safety net to stymie losses from a serious cyberattack.

CISOs need every risk mitigation technique they can get, and cyber insurance can be one of them — an effective tool to mitigate and transfer cyber risk. But getting the right coverage, terms, and services is far easier said than done.

Learn To Navigate Today’s Cyberinsurance Market

Security leaders who take time to understand the ins and outs of the cyberinsurance market have a distinct advantage in everything from broker selection to policy negotiations.

This is why we launched our cyberinsurance research: to guide our business and security clients through this $1.5 to $3 billion (and growing) market and to offer insight and best practices to better mitigate cyber risk. Check out the full report for more analysis.

Key Findings

What we found is a cyberinsurance market that looks a lot different than even 2–3 years ago and keeps evolving quickly. Likely no surprise to security pros, many insurers’ cyber offerings are their fastest-growing product lines. Still, insurers and security buyers alike grapple with a list of pain points. Here are some of our key findings:

  • The cyberinsurance market is maturing, but growing pains persist. We see positive signs that the market is growing up: more transparent policies, fewer contentious claim holdups, and insurers with a better understanding of cyber risk. Still, it’s far from painless. Security leaders face countless hurdles, including pedantic legalese, pricing hikes, IP and reputation coverage gaps, and disconnected purchase decisions due to internal discord.
  • Buyers navigate a labyrinth of intertwining providers and partners. Our report maps out the intricate web of cyberinsurance underwriters, brokers, reinsurers, consultancies, data analytics and cyber risk scoring providers, and carefully constructed carrier panels of post-breach services, such as incident response and legal counsel. And for large enterprises, there are self-insurance and captive options that may offer capitalization or tax advantages.
  • The devil is in the details. For both cyberinsurance veterans and newbies, it’s easy to make mistakes. Even a slight variance in your policy’s definition of “computer fraud” can be the difference in millions of dollars of coverage. We break down cyberinsurance coverage gaps and limitations into four categories: 1) sublimits and deductibles; 2) explicit exclusions; 3) implicit restrictions; and 4) services constraints. You’ll want to read up on all of these before you start redlining your policy.
  • Choose your cyberinsurance broker wisely. The most important cyberinsurance relationship is between the CISO and broker. Whether it’s selecting a cyberinsurance carrier, updating your policy, or handling major claims, you’ll turn to your broker first. During your broker selection process, make sure that their incentives prioritize your relationship — not their relationships with partners. Review the services they offer, their cybersecurity acumen, partner ecosystem, and the experience of existing customers.

Stay In Touch

We’d love to hear your reactions! Connect with us on Twitter: @heidishey and @nickhayes10.