It seems more companies are considering whether to purchase or enhance their cyber or data breach insurance coverage. In recent years, these offerings have expanded giving businesses more choice, and perhaps so has the need for such coverage given the explosion of access to and transmission of confidential data. What is interesting about this development is the different approaches companies seem to take when evaluating this type of coverage.
Networkworld reports today on a study by the Ponemon Institute that of the companies surveyed "chief information officer[s] and chief information security officer[s] have ‘very little influence’ in deciding whether to buy cyber security insurance." According to the report, the survey also shows that
companies rarely do a formal risk assessment by in-house staff to figure out how much insurance coverage should be purchased. Instead, they rely on the insurer to do that or take a very informal approach. Only 32% of the respondents said the IT security department had a very significant level of involvement; 35% cited “some involvement;” and 33% said there was absolutely “no involvement” for IT security staff.
It is not surprising that chief information officers do not hold the purse strings in most organizations when it comes to decisions about buying insurance. However, risk assessments are critical. Doing a proper risk assessment, one that takes into account all aspects of an organization that could pose information risks, of course including IT, seems fundamental to understanding what risks exist and what role insurance can play in addressing those risks. Additionally, in some cases, risk assessments are required – e.g., HIPAA security regulations, Massachusetts data security regulations.