Why insurance matters when considering SEC cyber rule compliance
We are still riding high on our recent win at the Cyber Insurance Awards Europe 2024. Axio was recently awarded Cyber Property Damage Product of the Year, and Highly Commended in the category of Cyber Insurtech of the Year
Middle: Axio Chief Insurance Officer, Dale Gonzalez, and Axio CEO, Scott Kannry
Cyber-physical damage risk is a top concern for enterprises in the industrial and process world. Considering the new reality—that insurance coverage is not easy to come by, we’re dedicated to supporting the market with a new paradigm. Our approach to quantifying cyber physical damage risk helps companies understand this risk and better manage it.
Insurance alters the cyber impact narrative
When a cybersecurity event occurs and financial losses loom over a company, robust cyber insurance can significantly alter the narrative. As more cyber-physical attacks dominate headlines with high-impact consequences, financial recovery becomes a top concern. Imagine a scenario where cyber insurance is expected to cover the majority, if not the full, costs of the incident.
With the SEC focusing on the disclosure of material incidents in their cyber rules, a company may find itself in a position where the financial impact of a cyber event is mitigated to the extent that it no longer meets the threshold for being considered “material.” Using cyber risk quantification, this is an achievable outcome and the position we envision for all our users of the Axio360 platform.
If the insurance coverage indeed ensures that the company is ultimately made whole, the incident’s materiality diminishes from a financial impact perspective and does not need to be disclosed. This underscores the importance of having cyber insurance and understanding its terms and conditions, ensuring that the organization can recover financially from potential cyber threats.
You can read up on our thoughts on SEC rules and materiality here:
- Top 3 SEC Cyber Rule Misconceptions
- Understanding Materiality for the SEC Cyber Rules with a Little Help from the Supreme Court
- Turning Materiality Talk into Action
Tailoring deductibles and retentions: insights from materiality determinations
Insurance deductibles and retentions are often intricately linked to a company’s materiality determination or risk tolerance threshold. Materiality, in this context, is a measure of the significance of an event, and understanding how it intersects with insurance can be a game-changer. A deductible is the amount of money that the insured party (the organization purchasing the insurance policy) must pay out of pocket before the insurance coverage kicks in. Retention, also known as self-insurance or self-retention, is the portion of a potential loss that the insured organization agrees to bear without seeking reimbursement from the insurer.
Companies routinely set deductibles and retentions based on their unique materiality determination or risk tolerance. Here’s where a strategic approach comes into play – insights from other insurance programs can provide valuable context for setting deductibles and retentions specifically for cyber insurance. By leveraging the thresholds established in other areas of coverage, organizations can better align their cyber insurance with the broader risk management strategy.
Regarding deductibles
If the materiality of the risks associated with cyber incidents is relatively low for a particular organization, insurers may offer policies with low premiums but higher deductibles. This is because the insurer perceives the likelihood of significant claims to be lower. The organization may opt for a higher deductible to reduce premium costs since they anticipate fewer and less severe cyber incidents. The opposite holds for high materiality risks—lower deductibles with more comprehensive coverage but with higher premiums.
Regarding retention
When cyber risks have low materiality, an organization may choose to retain a larger portion of the risk itself and negotiate a lower premium. With high material risks, retention is often much lower, with a higher premium to pay.
Understanding the thresholds set for various types of insurance programs offers a comprehensive view, enabling organizations to tailor their cybersecurity risk management to align with their overall financial and risk tolerance objectives.
Defining your unique materiality profile helps not only select optimal insurance coverage but extends far beyond financial considerations— it plays a pivotal role in shaping your entire cyber risk management program to prioritize investment in control initiatives.
In our recent webinar, Axio CEO Scott Kannry discusses the role of insurance in cybersecurity, providing a potential “get out of jail free card” for companies facing financial losses. Insurance deductibles and retentions were noted to be set based on company-specific materiality determinations, informing cybersecurity event materiality.
Curious to learn more about how Axio360 works to help understand material risks for your organization? Schedule a meeting with one of our cyber risk experts.