What would constitute a benchmark or a suitable budget allocation for cybersecurity insurance?
Sort By:
Oldest
Chief Information Security Officer in Healthcare and Biotecha year ago
I believe this depends on the cyber security posture of the organization. Senior VP & CISOa year ago
Varies based upon posture, vertical, customer and regulatory environment and more. Not a one size fits all. I'd start by chatting with leaders to understand materiality and risk tolerances and then a well-known broker.
First, what industry are you in? Next, what is your regulatory requirement burden, and what are the consequences for breaches and disclosure of data within your organization? If you have HIPAA, GDPR SOX, PCI-DSS types of data, there will be a higher cost to data breaches, disclosures and losses, which will mean you should allocate a higher budget proportionally, than say a hardware chain, or Burger franchise would.
I have been involved in buying Cyber-Insurance for quite a few years, and each underwriter has their own particular set of requirements, etc., so I'd get at least 3 or 4 quotes, but be prepared for an awful lot of paperwork. Check exactly what is and is NOT covered by each underwriter, and see if you can get them to write a custom policy if you can, especially if you have a fairly unique business. If you have patient health information, or financial data, you will find that there are a couple of specialty underwriters that should be able to provide you with targeted and specific coverage.
I'd benchmark the coverage by comparing what your IDEAL coverage would look like, vs. what you can actually get covered, and see how closely those two align with each other; the closer the alignment, the closer you are to hitting your benchmark. In terms of financial benchmarks, I'd look at the cost-payout ratio and make sure you are getting value for money, and not paying absurd premiums that would outweigh the cost of a cyberbreach.
Just a couple of ideas, I hope that helps.