What would constitute a benchmark or a suitable budget allocation for cybersecurity insurance?

469 views1 Upvote3 Comments

CIO in Services (non-Government), 201 - 500 employees
This is quite a broad question, and the answers will be very diverse.

First, what industry are you in? Next, what is your regulatory requirement burden, and what are the consequences for breaches and disclosure of data within your organization?  If you have HIPAA, GDPR SOX, PCI-DSS types of data, there will be a higher cost to data breaches, disclosures and losses, which will mean you should allocate a higher budget proportionally, than say a hardware chain, or Burger franchise would.

I have been involved in buying Cyber-Insurance for quite a few years, and each underwriter has their own particular set of requirements, etc., so I'd get at least 3 or 4 quotes, but be prepared for an awful lot of paperwork.  Check exactly what is and is NOT covered by each underwriter, and see if you can get them to write a custom policy if you can, especially if you have a fairly unique business. If you have patient health information, or financial data, you will find that there are a couple of specialty underwriters that should be able to provide you with targeted and specific coverage.

I'd benchmark the coverage by comparing what your IDEAL coverage would look like, vs. what you can actually get covered, and see how closely those two align with each other; the closer the alignment, the closer you are to hitting your benchmark.  In terms of financial benchmarks, I'd look at the cost-payout ratio and make sure you are getting value for money, and not paying absurd premiums that would outweigh the cost of a cyberbreach.

Just a couple of ideas, I hope that helps.
Chief Information Security Officer in Healthcare and Biotech, 1,001 - 5,000 employees
I believe this depends on the cyber security posture of the organization. 
Senior VP & CISO, 1,001 - 5,000 employees
Varies based upon posture, vertical, customer and regulatory environment and more. Not a one size fits all. I'd start by chatting with leaders to understand materiality and risk tolerances and then a well-known broker. 

Content you might like

Already moved away45%

Starting to move away32%

Considering a move away - over 1 to 3 months22%


4.8k views1 Upvote11 Comments

Slow recovery response times34%

Data availability is limited50%

Too expensive to scale effectively52%

Difficult to manage for widespread use38%

Prone to misconfiguration12%

No - There are no drawbacks7%


1.6k views3 Upvotes