# Opener

CISOs and Insurance Risk Managers Unite

Published by Gavin Lillywhite

What do CISOs and Insurance Risk Managers have in common?

They both help to protect earnings and reduce volatility by identifying and reducing risk to keep the company functioning, investors protected, customers happy, and a positive brand reputation.

Working in unison they can achieve better outcomes for all stakeholders including themselves, collectively embracing enterprise cyber risk reduction and better insurance risk transfer optimisation to support business objectives will also help them increase their stature in the organisation.

In this article, I share how a CISO can serve as the catalyst for cyber risk reduction and then leverage the knowledge and experience of the Insurance Risk Manager (IRM) to provide actionable and measurable cyber protection outcomes.

Let’s begin with some cyber risk reduction tips for the CISO

You will never eliminate every cyber risk so here are some simple pointers that can help you as a CISO excel in the boardroom:

  1. Identify the top cyber risks aligned to critical business objectives and the most significant revenue streams.
  2. Emphasize to the board the clear linkage between security risk identification, investment, and earnings protection.
  3. Gain agreement with the Board that these ‘defined events’ become the collective [cyber] risk-reduction focus areas.

After completing these three activities, you can hone in on a selected prioritized risk register, aligned with senior stakeholders empowering you to build a defensible, auditable cyber risk resilience program.

Once a CISO has their risks lined up, it’s time to focus on scenarios

The next step in excelling in the boardroom as a CISO is to prioritise and secure cyber risk improvement investment by:

  • Identifying the most impactful scenarios and those that will drive the greatest $ return on investment (ROI)
  • Using them transparently to determine what’s going to bring down your loss expectancy with the greatest return, and secure budget with Finance to improve posture
  • Determine your posture/risk improvement program and demonstrate regular progress updates so the Board can see the tangible benefits of the investment
  • Move the discussion from cost to ROI with the CFO as your key ally in the boardroom

So how does the Insurance Risk Manager (IRM) fit into the equation?

The CISO has done much of the heavy lifting at this point. But it’s time to move to a higher plateau for better visibility and actionability by leveraging the knowledge and experience of the  Insurance Risk Manager (IRM). On a day-to-day basis, these professionals analyze complex data sets to evaluate the probability and impact of various risks, ranging from market fluctuations to natural disasters. They collaborate with underwriters, actuaries, and other stakeholders to develop effective risk management strategies and ensure that insurance policies are appropriately priced. Additionally, insurance risk managers stay abreast of industry trends, regulatory changes, and emerging risks, adapting their strategies accordingly. You can use your most critical defined event risks to scenario test the efficacy of your insurance policy.

Here are the critical outcomes of working with your Insurance Risk Manager when diving into cyber risk scenarios:

  • Does it respond as expected & can the IRM be confident in defending it to the Board?
  • Will it protect earnings volatility?
  • Is there still too much residual risk on the balance sheet?
  • Is there a positive impact on my other insurances, e.g. Directors & Officers, ESG?

And if it doesn’t respond as required use your scenario-based cyber risk assessment, quantification, and analysis transparency to create a more purposeful and contract-certain risk transfer solutions with your broker and insurer.

Your risk improvement programme is 100% transferable to securing enhanced cyber insurance protection, leading insurers will offer you an incentive to invest including improved coverage and/or pricing subject to completion of improvements so your organisation gets a twofold return from the investment.

In the event of the breach you defined occurring, you can be confident that the risk has already been envisaged, planned, and mitigated and the IRM and Finance can be confident that the insurance policy will respond as expected, with no ifs, buts, or maybes.

Assessing and quantifying scenario-based cyber events and using them to determine insurance ‘defined perils’ with full clarity of event is more attractive to reinsurance markets enabling clients to access greater capacity for those meaningful, defined event scenarios identified jointly by the CISO and IRM.

Working with Axio empowers you to implement the above approach, protect your business, and optimise your insurance risk transfer options. Make sure your decisions are conscious ones!

Please reach out to me if you would like to continue the conversation.


Gavin is a Chartered Insurer with 30 years of global insurance industry expertise joining Axio in June 2023 after 22 years at Allianz.  Throughout his career, he has held a variety of roles including Global Property & Casualty Underwriting whilst leading Financial Institutions and Real Estate Underwriting portfolio verticals, Client Management, and Global Broker Management.

Having spent more than half his career in global roles he has expert knowledge of global insurance markets from the Americas to Asia Pacific and everything in between across Property & Casualty (including Cyber), Specialty, Credit Solutions, Asset Management, and Life & Health.