Bridging the Insurance/InfoSec Gap: Results of the SANS Cyber Insurance Survey Released

Bethesda, Md. – The fast-growing cyber security insurance market could triple in size by the end of the decade, despite communication problems that often make it difficult for information security and insurance professionals to work together. The communications gap is so wide that only 30% of underwriters and 38% of InfoSec respondents believe they even speak the same language, according to the results of the SANS Cyber Insurance Survey, conducted in conjunction with Advisen, Ltd. and sponsored by PivotPoint Risk Analytics, to be released by SANS Institute on June 21.

"As cyber insurance becomes part of more organizations' cyber resilience strategies, information security professionals and risk managers must take a holistic view of cyber security, and they must have a common framework for working with insurance brokers and underwriters. Today they don't," said Julian Waits, CEO, PivotPoint Risk Analytics. Despite the need to work closely together on policies, the survey showed that the two groups don't share a common definition of a concept as fundamental as "risk." "Closing those gaps in terminology, assessment, communication and investment will move us closer to being able to achieve that goal," says Barbara Filkins, SANS Analyst and author of the survey.

The whole field is so new and the threat environment changes so quickly that it is difficult for insurers to determine which risks pose a significant threat to a specific customer. "Legal terminology is also so new and amorphous that it is difficult to know what protections the language of an insurance policy actually provides," according to Ben Wright, a SANS senior instructor, author and practicing attorney who contributed to the report.

Both sides are working to resolve those gaps and uncertainties, Waits said. "This research provides a clear understanding of the gaps, and is an important step toward building a bridge."

This collaborative effort of SANS, PivotPoint Risk Analytics and Advisen identifies the gaps inhibiting the communities from working together effectively and provides the building blocks needed to reduce the risk of financial loss associated with cyber incidents.

"The cyber insurance market is growing rapidly, and organizations of all types and sizes now purchasing cyber insurance. Consequently, information security professionals and cyber insurance brokers and underwriters are interacting more frequently. We at Advisen are delighted to work with PivotPoint and the SANS Institute to help understand how these interactions can be more productive," said David K. Bradford, co-founder and chief strategy officer, Advisen Ltd.

Full results of the survey will be shared during a June 21 webcast at 1 PM EDT, sponsored by PivotPoint Risk Analytics in cooperation with Advisen, Ltd, and hosted by SANS. Register to attend the webcast at

Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst Barbara Filkins with contributions by Ben Wright and David Bradford.

Tweet This

"Strategies, #infosec professionals and risk mgrs must take holistic views of cyber security." Register Now:

SANS 2016 Cyber Insurance Survey Results: Bridging the Insurance/InfoSec Gap- 6/21 Webcast @ 1PM ET | Register Now:

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (