Process: a series of actions or steps taken to achieve a particular end.
From time spent in the military, I will always remember the importance of process. Without process, there is no consistency to approach, no guardrails when times are tough and no foundation to measure against and improve upon. Having moved to the civilian workforce – from the financial industry to the shifting sands of cyber security within the insurance space – I see that that same principle applies. The ability to formalize processes is critical.
In 2024, the cyber situation is dire. According to a report from ESG and the ISSA, 70% of cybersecurity professionals say their organization is affected by the shortage of cybersecurity skills . Meanwhile, the global cyber insurance market tripled in volume in the five years that ended in 2022, and the Insurance Information Institute reports that global direct written premiums for cyber insurance are projected to escalate to $23 billion by 2025.
A skills gap. A surge in premiums. A growing demand. Something has got to give. The world of cyber resilience (which includes cyber insurance) continues to reinvent itself as it changes to mitigate new threats and bad actors. The industry must maintain pace with this evolving landscape. Process is at the heart of this equation.
See also: Top Global Business Risks in 2024
Refining policies and grappling with pricing in this industry’s infancy
It wasn’t too many years ago where the relatively new market of cyber security was thrust into the spotlight following an explosion of digital transformation, at a state and national level.
The first (and very limited) cyber insurance policies were written in the late nineties and early aughts. Cyber insurance policies were historically centered on security liability, data loss and unauthorized access.
The scope of cyber continues to broaden as digital transformation and connected technologies overhaul every facet of our lives, from museums opening online collections and archives, to restaurants taking a digital, omnichannel tack with orders, and every business in between. You’ll be hard-pressed to find any industry that doesn’t have digital tentacles attached, ranging from bring your own device (BYOD), to remote devices, to digital subscriptions and more. All this to say that what makes up policies and how they are priced are constantly moving goalposts.
As cyber insurance matures, and businesses and carriers better understand pricing and risk, this equation will (we hope) balance out. However, to offer more personalized policies and align coverage with unique business demands, the industry will have to shape up quickly. Carriers should look at their underwriting, policy and claims processes to see where efficiencies can be found, where new data can be leveraged and where creativity can support more competitive products. This isn’t the silver bullet to solve all of the industry’s growing pains, but it’s a welcome start.
See also: Top 10 Challenges for Data Security
Lowering demand through education
It’s also important to flip the script from carriers to insureds. This is a team game, with cyber insurance a borderline non-negotiable for any business, agency or organization. The demand is rightfully high. This shouldn’t change. However, there are steps that security leaders can take within their organizations to help the industry at large. Putting the right processes in place can help the industry – as a whole – grapple with this challenge and potentially lower premiums.
Business continuity and disaster recovery strategies: Too often, organizations have these documents or strategies in place, but they are seldom representative of an actual incident that might take place – let alone practiced in such a way. This needs to change. Organizations must show a holistic approach to cyber resilience, from continuing training to technical support to flexible policies that support recovery and damage mitigation. This extends beyond your organization’s four walls and into your partner network, as well.
Balancing domain knowledge with technology expertise: Security leaders will be tasked with showing that they understand not only the security landscape but the business landscape they are supporting. Simply doing security for what is believed to be security’s sake is a path to trouble. The better security leaders can articulate how their processes, programs and protocols map to the specific business challenges at hand, the better their chances at finding and paying for the right coverage. Make sure your organization – and your enterprise ecosystem – is evaluated on having a blend of expertise.
Better measurement of what success looks like: Part of the industry’s maturation is understanding how to measure or demonstrate value to help paint the full security picture. This information can also be used to better evaluate risk and to find, build and price a policy. Security leaders are taking a more prominent seat at the table. Just as a sales or operations or technology leader shows value through key performance indicators (KPIs) and performance measurement, so should security leaders. A good place to start is stacking up against widely accepted security frameworks and training programs.
Shifting the conversation from cyber security to cyber resiliency
This has been slowly happening, but cyber resiliency will be the way forward – underpinned by the right processes. Resiliency is about more than that one moment when a problem occurs. It’s what is done before, during and (arguably most importantly) after a threat or failure.
The cyber insurance, mitigation and resilience conversation is here to stay. And it is far from an easy solve. We must reinforce processes – specifically, collaborative processes – in which all parties involved support the common goal of lower premiums, more accurate policies and resilience through education.
These are the building blocks to a manageable future.