In this series, Grace Crickette provides C-Level excutives a comprehensive overview of cyber insurance, while addressing business impacts and offering best practices for implementing a risk-management strategy that includes a cyber-liability policy.

Part One

The role of the CISO is expanding, shifting from a focus on information security programs to a holistic risk management approach. Necessary skills now encompass IT administration as well as the ability to think strategically to influence business risk decisions affecting everything from developing privacy policies to preparing disaster recovery plans, to obtaining insurance coverage.

Even if the CISO is not driving the insurance purchasing process, enlisting the CISO’s help is critical in creating an insurance program that facilitates improvement and ensures that the insurance policies have the appropriate wording to provide the desired coverage in the event of a breach.

I recently led a roundtable discussion with an impressive group of CISO’s. We discussed four topics and the most animated…okay…heated topic was “insurance.”  Opinions were that existing policies offer little value and the premium dollars would be much better spent in the hands of the CISOs to deploy loss prevention and detection technology.

Whether considering data risk, compliance issues, or hazard risk events, I am always in favor of prevention strategies, but I felt compelled to offer the following:

  1. Insurance policies can be designed by the insured, which means with a basic understanding of how policies are constructed to a great extent you can craft them to suit your organizations needs
  2. A well-designed risk financing and insurance program, such as a combination of self-insuring and excess insurance or a captive structure, can create a cost effective and sustainable resource for funding loss prevention and detection
  3. Insurance policies can be great change agents; it is easier to implement needed controls and programs if, “the insurance company requires it”

Following the in-depth discussion, everyone around the table bought into the strategic virtues of insurance and went running back to their offices to make a date with their risk manager…okay not exactly what happened…but, I did get the CISO’s thinking and speaking a bit broader about the possible benefits of insurance.

In this series, I hope to provide information that will inform and excite you about insurance. I will be including input and opinion from a variety of my colleagues including, underwriters, brokers, legal counsel, risk managers, and of course some CISOs.

In the coming series we will cover:

*    A Brief History of Insurance

*    Insurance and Risk Management Basics

*    What are we trying to insure?

*    What insurance do we have, and what is covered?

*    Security Assessments, Risk Assessments, and Underwriting Submissions

*    Re-defining of the rules of cyber-insurance

*    How is the insurance community responding?

*    Business impacts of cyber-insurance

*    Discover how to achieve savings by implementing a risk management strategy which includes cyber-insurance.

Included is an addendum that will build-out as we progress through the series, a dictionary of sorts with “text book” and “real world” explanations.

If you would like to comment or contribute additional information on this topic, please comment below or email Grace at


Wording:  The wording or written language in the insurance policy itself is intended to provide protection for the insurance company and to eliminate loopholes in coverage. Policy wording is open to interpretation by the courts.

There are even “wording specialists” employed by the carriers. It is good to take the time and meet with the wording specialist as they can be extremely helpful in crafting the language that you desire and in establishing a clear understanding between you and the carrier.

Keep in mind that ambiguity in an insurance policy is not always a bad thing, in many jurisdictions if the language is ambiguous then the court as a matter of law will rule in favor of the insured and not the insurance company.

Underwriter:  Insurance underwriters evaluate the risk and exposures of potential clients or insureds. They decide how much coverage the client should receive, how much they should pay for it, or whether even to accept the risk and insure them. Underwriters are looking for the best “horse” to place their bets on.

The underwriter’s performance is judged significantly on their ability to select to provide coverage to an insured who will not have terrible claims, and determine the correct amount of premium for the coverage, and  ensure the policy is crafted to reduce the risk to the carrier.

Leave a Reply