More Asian organizations will be forced to ramp up their security programs as they attempt to obtain cybersecurity insurance coverage to help minimize the financial impact of a data breach, says Mark Weatherford, chief cybersecurity strategist at security vendor vArmour.
CISOs can make the case for deploying certain security tools because having them in place could "save money on our insurance premiums," Weatherford, a former U.S. government cybersecurity specialist, says in this interview with Information Security Media Group at the recent 2016 RSA Conference Asia Pacific & Japan in Singapore.
"At some point, the insurers are going to start demanding better security before they will even write you a policy," he adds. "When that happens, a CISO is going to have all the ammunition they need to say we need to do X, Y and Z in order to even buy insurance. I know of a couple of ... incidents where the underwriter told a company, 'We're not going to sell you cybersecurity insurance because your security program is so poor.' So, they had to raise the bar before they could even buy insurance."
Too many Asian companies focus on compliance, rather than a comprehensive security program, Weatherford says. But the growing interest in obtaining cybersecurity insurance could be a strong incentive for a change in security priorities, he adds.
"As we've suffered more and more data breaches and more and more security incidents, companies are beginning to realize that just like you wouldn't go without car insurance or life insurance, you need to have cybersecurity insurance," he says.
In this interview (see audio player below photo), Weatherford also offers insights on:
- How to start a cybersecurity insurance discussion with the board;
- The need for insurance underwriters to better understand the risks that they're underwriting.
- Why requiring all stored data to reside within one nation is unrealistic in light of cloud computing.
Weatherford is a well-known cybersecurity specialist in the United States, having formerly served as deputy undersecretary for cybersecurity at the U.S. Department of Homeland Security and CISO for the states of California and Colorado. He also formerly was principal at the Chertoff Group and vice president and chief security officer at North American Electric Reliability Corp.Associate Editor Varun Haran contributed to this report.