Cyberattacks relentlessly target every sector, whether it’s industries still reliant on outdated legacy systems or those with the latest cutting-edge technology.

Hospitals, banks, energy companies, retailers, manufacturers and logistics suppliers are all targeted and victimized. The reality is that no matter how advanced the industry, cybercriminals are finding vulnerabilities in the attack surface faster than the security experts can identify them. These attacks are not only growing in frequency but also becoming increasingly sophisticated. As a result, global cybercrime damages are projected to rise by 15% annually, Forbes reports, reaching a staggering $10.5 trillion USD by 2025.

Cyber insurance offers organizations a crucial layer of protection amid the growing fears of data breaches and ransomware attacks. However, not all cyber insurance is created equal. It’s not a one-size-fits-all solution, nor is it an instant fix-all.

Finding the right cyber insurance fit often hinges on an organization’s Chief Information Security Officer (CISO). It’s the CISO who comprehensively understands the risks the company faces and knows how to align those risks with the appropriate coverage. Let’s say there's a retail company with a high volume of customer transactions, making it vulnerable to phishing attacks. In this case, the CISO should seek an insurance plan that specifically covers point-of-sale system vulnerabilities, third-party vendor breaches, and comprehensive ransomware response, rather than settling for a generic, off-the-shelf plan.
|

Resistance to change

Despite their critical role, CISOs are often sidelined in the decision-making process for cyber insurance, leaving the buying entirely to those in procurement, who may not understand where the value lies in such coverage. Without CISO involvement, companies will remain in a constant state of vulnerability over the cost of data breaches. As data protection laws become increasingly strict, these breaches can result in hefty fines and prolonged lawsuits. This heightened sense of insecurity fuels internal blame games and finger-pointing, eroding employee morale and eventually driving down retention rates.

Some of the exclusion of CISOs from the insurance process could stem from the procurement department not understanding its importance. There’s the assumption that cyber insurance procurement belongs solely to risk managers or legal teams simply because it's always been that way. As a result, the CISO continues to be viewed as just another stakeholder, overlooking the critical role they play in defending the company against evolving cyber threats.

Organizations must recognize that the role of the CISO is evolving into something far more expansive and fluid. The reputational damage from even a single data breach can be irreversible, and long-term survival depends on fully integrating the CISO, who better understands the risk, into all stages of their cyber defense strategy.
|

Procurement and response

CISOs need to be involved in the insurance procurement process, as they and their team are the ones on the front lines when an attack happens. Without the CISO custom-tailoring the policy to fit the company’s unique risk profile, they’ll be left scrambling during a crisis to determine what’s covered, how the coverage works, and which providers they can use. Involving the CISO from the start not only reduces the likelihood of successful attacks but ensures a faster and more effective response when one occurs.

A CISO being caught off guard during a cyberattack often stems from a mismatch between their incident response plan and the insurer’s list of pre-approved vendors. Many CISOs build close-knit relationships with specific incident response providers, legal teams, and communication partners as part of their crisis management strategy. However, these carefully crafted plans are often discarded when insurers require the use of pre-approved vendors. Had the CISO been involved in setting up the insurance policy, this disconnect could have been avoided.

In my years of heading cybersecurity teams, I once worked with a CISO who detected a ransomware attack early on a Sunday morning during a holiday weekend. The CISO immediately contacted their trusted incident response team, only to find out that the insurer did not approve the vendor. This forced them to switch to one of the insurer’s pre-approved vendors, causing a staggering eight-hour delay in response. Had the CISO’s preferred team been permitted to act, containment could have begun within 45 minutes.

These situations don’t have to be the norm. To prevent this, CISOs should not only be integrated into the insurance procurement process but also establish strong relationships with vendors once the policy is in place. Conducting tabletop exercises with these vendors ensures a smooth transition from planning to action when an incident occurs.
|

The vendor question

Organizations face a tough decision when procuring cyber insurance: whether to prioritize their trusted vendors or accept the insurer’s pre-approved list. Many businesses have long-standing relationships with certain vendors for handling cyberattacks, and breaking those ties can feel like a betrayal. However, sticking with preferred vendors can lead to reduced coverage or higher out-of-pocket expenses.

Resolving this question requires objectivity — putting aside emotional attachment, bias and resistance to change to weigh the benefits of trusted vendors against the cost of adhering to the insurer’s requirements. Some insurers offer flexibility, allowing companies to include preferred vendors in their policy, but often at the cost of a higher premium, not unlike health insurance when a patient needs to go “out of network.”

These discussions need to happen early in the procurement process to avoid any surprises during a crisis. Ideally, this conversation is led by a CISO who is bold, impartial, and unafraid to challenge existing vendor relationships, insurers, or executives clinging to the status quo.
|

Decoding complex policies

The CISO’s duty also involves decoding cyber insurance policies, which are often complex and dense, and packed with exclusions, limitations, asterisks and fine print. For example, some policies may only cover the first wave of random attacks, leaving companies exposed to subsequent incidents. Others may require the use of specific vendors for incident response. A modern CISO reviews the policy thoroughly, often multiple times, and ensures they can clearly translate it to every arm of the organization.

CISOs also need to be mindful of a policy’s retention — the out-of-pocket expenses the company must cover before the insurance kicks in. Without a clear understanding of these financial implications, companies may face margin-ruining costs when a claim is made. It’s like the deductible on car insurance: while it may seem small compared to the total cost of a claim, it can still have a significant impact on a driver’s finances if not properly planned for.
|

Protection is non-negotiable

Despite the surge in cyberattacks, a surprising number of businesses still opt for no protection at all — whether due to disillusionment with past cyber insurance experiences or overconfidence in their data security team. This is a critical mistake. Any business handling data should have some form of cyber coverage, especially now, with the wide variety of products available. Cyber insurance offers scalable solutions, allowing smaller businesses to find coverage that fits both their budget and risk profile.

Even companies that don’t handle sensitive data can benefit from cyber insurance if they rely on smooth operations to meet business goals. Manufacturing companies, for example, can experience costly production delays due to cyber incidents, especially in today’s fast-paced, next-day shipping environment. In fact, cyberattacks on the manufacturing sector are more common than many realize: in 2023, the industry accounted for over 25% of all cyberattacks, a sharp rise from just 8% in 2019.
|

Collaborative, yet decisive

The role of the CISO should be collaborative, acting as a bridge between key stakeholders such as legal, risk management, finance, and even HR and PR teams. Cyber insurance is not the sole responsibility of any one department; rather, it requires input from multiple areas of the business to ensure the policy aligns with the company’s overall risk management strategy. A modern CISO values the insights of other board members and security teams but must also have the boldness to make decisive calls on cyber insurance, always prioritizing the organization’s approach to risk management and long-term security.

Paul Caron is Head of Cybersecurity, Americas at S-RM, a global corporate intelligence and cyber security consultancy. He can be reached at [email protected]. Any opinions expressed here are the author's own.

See also:

• Top online safety concerns of 2024
• Email cyberattacks spike 24% in 2023
• The case for personal cyber insurance