Cyber Insurance: The Evolving Role of CISOs

The landscape of cyber insurance is undergoing a significant transformation, driven by the increasing complexity of cyber threats and the financial implications of security breaches. Insurance companies are now actively engaging with security departments and Chief Information Security Officers (CISOs) to better assess the risk profiles of their clients. This shift is not just a trend but a necessity, as the stakes have never been higher for both insurers and insured organizations.

The MOVEit Case: A Wake-Up Call for Cyber Insurance

The MOVEit file transfer software, developed by Progress Software, was exploited to breach several major organizations. The company plans to collect on its $15 million cyber insurance policy, a move that is likely to impact how insurers approach their risk assessments. According to Mark Millender, senior advisor for global executive engagement at Tanium, this will drive up premiums and increase requirements for coverage. The incident has also led to greater scrutiny of the insured at the time of policy renewal, taking into account their cybersecurity defense posture and how incidents were addressed.

The Importance of CISO Involvement

Traditionally, the negotiation of cyber insurance policies has been the domain of general counsels, CFOs, or COOs. However, involving the CISO in these discussions is becoming a best practice. The CISO can provide valuable insights into the organization’s security controls and strategies, thereby helping insurers understand the risk better. Jason Rebholz, CISO at cyber insurer Corvus, emphasizes that this interaction can also provide critical threat intelligence to the CISO, transforming the insurer from a financial partner to a threat intelligence partner.

The Small Business Dilemma

While large organizations often include CISOs in cyber insurance discussions, small and midsize companies may not have a dedicated CISO. This puts them at a disadvantage, especially when it comes to insurance claims. Scott Godes, partner and co-chair of the Insurance Recovery and Counseling Practice at Barnes & Thornburg LLP, stresses the need for a strong CISO to present the importance of cybersecurity issues to the board. In the absence of a CISO, small companies are likely to face higher premiums due to the assumed higher risk.

The Collaborative Future

The increasing engagement between insurers and CISOs is shaping a more collaborative future. Dara Gibson, cyber insurance services leader with Optiv, notes that a greater understanding of what ‘good’ cybersecurity looks like is taking shape. This collaboration is instrumental in helping organizations improve their security posture, thereby benefiting both the insurer and the insured.

The future of cyber insurance?

The move from insurance companies to actively engage with security departments and CISOs is a welcome and necessary shift. It not only helps in better risk assessment but also fosters a collaborative environment where both parties can benefit. For small companies without a dedicated security team, the message is clear: invest in cybersecurity or face steeper insurance premiums. As cyber threats continue to evolve, so will the relationship between insurers and CISOs, making it an essential partnership in the modern business landscape.


Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

Paul Bergman
Follow me