How information security is addressed throughout an enterprise will play an increasingly critical role in how cyber-insurance providers determine coverage and pricing.
"A number of underwriters now are looking toward what is the business culture toward data protection as opposed to do you have this particular piece of software in place," says Michael Menapace, adjunct professor of insurance law at Quinnipiac University School of Law.
Menapace testified at a hearing examining the evolving cyber-insurance marketplace held March 19 by the Senate Commerce, Science and Transportation Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security.
Click on the "Listen Now" player above to hear a six-minute audio report on the evolving cyber-insurance market. In the report, you'll hear:
- Catherine Mulligan, senior vice president of the management solutions group at insurer Zurich North America, who says companies like hers need to help their policyholders understand the importance of an information security culture as threats and risks evolve.
"Historically, the assumption at the enterprise level was that it [information security] was an IT issue and that's something that's changed in the last 18 months, when our boards of directors are really on notice that there has to be a high-level governance of this problem," she says. "We really encourage a culture of awareness from the boardroom to the mailroom. ... We really look to help companies move to resiliency rather than just protection."
- Ben Beeson, vice president of cybersecurity and privacy at the insurance brokerage Lockton Cos., who discusses how companies are growing more concerned about getting insurance coverage for the physical damage a cyber-attack can cause.
"Critical-infrastructure industries, many of which are more worried about physical damage, business interruption loss, bodily injury - that is where there's a real challenge in the [insurance] marketplace and where the focus is shifting," Beeson tells lawmakers. "I'm not saying the handing of personal information is not an issue; it certainly is, and we've seen that over the last year, there's no doubt about that. It's much broader than that, now."
The insurance executives also told the subcommittee that passing cyberthreat sharing legislation should help underwriters by providing them with a trove of valuable data to help determine types of cyber coverage to offer and set cyber-insurance policy prices.