What underwriters want to know from brokers when placing cyber coverage

Brokers placing cyber insurance should take a good look at their clients’ information security culture, a computer security expert advises.

What is “often overlooked by brokers is that underwriters really care about the security culture of an organization [applying for cyber insurance],” said Pascal Millaire, CEO of CyberCube Analytics Inc., in a recent interview. Security culture is the extent to which computer security is “seen as a business issue rather than an information technology issue,” added Millaire, who spoke to Canadian Underwriter last Friday.

“Underwriters are looking for organizations where cyber security is a consideration at the board level, all the way down to training front-line employees,” Millaire said. “Where major cyber breaches happen, it becomes a board-level issue. It becomes a CEO-level issue. In some cases, it can even become a solvency issue that threatens the future of the organization.”

Companies with a good security culture can get “more attractive” terms and pricing on their cyber insurance, Millaire said.

How do brokers know if the client has a security culture?

One factor affecting how much a client might pay for cyber is whether or not the client has a plan to respond to an information security incident such as a breach of confidential data or malware that prevents the client’s employees from using their computers.

A broker could ask a client how often the incident response plan is tested.

Another question may be: who within the organization participated in the most recent incident response exercise? If only IT staff were involved in the most recent cyber breach exercise, “that is not a particularly good answer” to give to an underwriter, Millaire noted.

Certainly if the first time senior executives are thinking about how to respond to an incident is when they are addressing media, customers or shareholders after an incident happens, “the reality is, it’s too late,” Millaire said. The consequences of a cyber incident could include not being able to use the computers or compromise of sensitive data.