After some of these calls, Wiora says, it became clear that insurers have little awareness of cybersecurity terminology, let alone risks. If he picked an insurance provider with lax practices and suffered a breach, he believes he'd get mired in litigation as the parties debated coverage particulars. "I think there are a lot of problems with this," he says.
Chris Wysopal, CTO of application security vendor Veracode, has heard similar things from clients. He noted that while insurers require building owners to undergo regular inspections to obtain occupancy permits, insurers can provide cyber coverage with a wing and a prayer. "There isn't that inspection where you can say they're at a level where we can feel safe insuring them," Wysopal says.
Talent dearth heightens cyber-insurance challenges
Part of the problem is that the industry lacks the requisite talent to inspect a company’s IT systems and processes to accurately provide price quotes. The world is strapped for cyber-talent, and most of the best are employed by large corporations, where they're paid handsomely to shore up corporate defenses. "Everything from the application process, to the vetting is mired [in inconsistency]," Wiora lamented. "And when you do [as an insurance client] have to file a claim, what company has people with experience in terms of cyber-insurance claim remuneration?"
Joseph Magrady, CIO at Vertafore.
Wysopal says such vetting will become more stringent as a progression of costly hacks force industry definitions for due care and reasonable security evolve. Cases such as the Wyndham Worldwide hack, in which the hotel chain had to pay out more than $10 million to cover fraudulent charges racked up on consumers' credit and debit cards, will help shape the debate about reasonable security, he says. "Court cases are the ultimate arbiters that others in the industry will feed off of," Wysopal says. "If you don't have a reasonable security program insurers are not going to pay out."
Purchasing cyber-insurance isn't the purview of every CIO, but bolstering cybersecurity defenses almost certainly is. Joseph Magrady, who joined Vertafore as CIO from American Express in August, plans to use Hadoop analytics to parse the network for anomalous events. He's also improving education programs for employees and customers, including social engineering testing to see whether employees fall for faux phishing scams. He says education is every bit as important as implementing the right technical defenses to strengthen the overall security posture. "It's not just your technology… it’s about whether your people are aware and how they behave," Magrady says.