I’ve consulted for many organizations and also have dove into the cyber insurance conversation with them. Most companies have a plan. There isn’t a leaders that is comfortable claiming they don’t have a policy publicly after an incident occurs. That statement can cost them their job.
What I found that is interesting about cybersecurity insurance is the plans being used by organizations are very different depending on how the statement of work was arranged as well as what is required to meet the policy. Leadership from companies will ask for pricing for a plan yet sometimes not consider the costs required to bring the company up to the required state to be covered by a policy as well as not think about asking for cost reduction if new security measures are put into place. They essentially just want to check that box and move on.
The key to obtaining a solid cybersecurity policy is to consider all factors as well as develop it with the technical staff that understands such factors. A policy could cost X amount of dollars however, there could be a Y factor to improve the people, process, and technology to meet the policy that is way more expensive. There can also be a Z factor which is by adding additional security, X can go down. I’ve worked for vendors that have teams focused on the Z factor. Those teams will review already purchased enterprise agreements of security technology and provide estimates of cost savings in cyber insurance by deploying specific technologies. I’ve also worked for teams that perform tabletop exercises and technology assessments used to prove to the cybersecurity policy provider that policy requirements are upheld as well as possible discounts should be applied.
ITsecuirty Guru highlights many of these points in an article covering this topic found HERE. If you want to see the numbers proving these concepts, check out that article.