Watch the video above for the compilation of Felicia’s takes on this topic.

Over the past few years, the paradigm shift in cyber insurance has been significant. As cyber threats continue to evolve and become more sophisticated, the traditional approach to cyber insurance has become inadequate. In the past, cyber insurance policies focused primarily on providing coverage for data breaches and network security incidents. However, cyber insurance has now expanded to include coverage for a broader range of cyber threats, such as cyber extortion, business interruption, and reputational harm.  This has resulted in an increased emphasis on risk management and prevention.

QPC’s Felicia King along with Kirsten Bay of Cysurance joined a webinar hosted this week by Meg Perron of SecurityStudio discussing what this trend means for the cybersecurity industry.

From Felicia’s perspective as a CISO – there has been a major shift in the last 3 years. Previously executive management would delegate, and the word of the IT directors would be sacrosanct, resulting in a signed contract with a cyber insurance policy. However, in a lot of cases the IT directors did not really follow the right processes and/or have contemporaneous evidence for their cybersecurity efforts. This would then lead to major catastrophes because they basically didn’t align with the policy requirements. The smartest approach for a company is to get a CISO backed by a good technical team and develop a regular relationship with them, look at the reports and understand what they mean.

Kirsten Bay highlighted something we talk about at QPC all the time – that it is not enough for companies to show a compliance report, they need to have continuous verification if they have any interest in the viability of the business. This aligns with QPC’s recommended approach to cyber insurance – including automated reporting and state attestation that automatically gets published into the GRC. This is a foundational element of the QPC process put in place for any client.

The driving force behind such an approach is, without question, the CISO. Whether a small to medium sized business who may not get much airtime with their insurance broker, or a large organization, the CISO is the ideal conduit to help interpret the insurance policies. This also means that the client commits to a continuous relationship with the CISO who is also the incident commander – someone with a convergence of knowledge on the technical aspects, legal requirements, and insurance requirements.