Cybersecurity is no longer confined to IT departments. As threats escalate, executive disengagement has become one of the greatest liabilities a business can face.
“Especially being a C-suite or on a board, you have extra exposures,” said Brett Klein (pictured), vice president at RT Specialty. “These can range from constant improvement in information technology, implementation of preventative plans, such as an incident response plan or disaster recovery plan.”
Yet many leaders still assume outsourcing IT or buying a policy shifts the responsibility. “A big one is if they outsource their IT company and think that firm will cover me for all of my losses and all of my exposure,” Klein said. “The business still has the exposure. It could affect the longevity of that business.”
Purchasing insurance is just the start. “Employees can be a big variable, so educating them is important,” Klein said. “Executives have much more exposure in the event of a cyberattack, and it's definitely important for them to be more involved than just purchasing the insurance.”
That doesn’t mean the CFO has to moonlight as a CISO - but they can’t be uninformed. “I’m not expecting or saying everyone with a C-level title should have a CISO hat,” Klein said. “But the more education you have, the better preventative measures and better education you can have to make sure the business is in a great state.”
Too often, Klein hears downplaying statements like: "If I'm down for a period of time, it really wouldn't be a doomsday scenario."
"A business down for a week or a month can be pretty detrimental," he said.
Reputational damage carries even more risk and is often overlooked. Cyber events can rapidly erode customer trust, something many businesses fail to grasp.
"Public perception is how we operate in a lot of what we do," Klein said. "Not recognizing the importance of that potential reputational fallout is huge."
While some cyber insurance policies include extensions for reputational harm, they typically require quantifiable proof of financial loss.
"Reputational harm is generally what it is addressed as. It's an extension of a business interruption trigger," Klein said. "It is meant to pay for that potential proven reputational fallout coverage if it can be quantified."
As cyber threats evolve, so do the policies to guard against them. Insurers have refined coverage definitions, particularly around third-party breaches and delayed executive responses.
"Some of the things that we've seen are more specific policy definitions to better clarify intent," Klein said. "There have been scenarios where generalization can cause granularity and confusion."
Voluntary notification clauses are one recent development. These allow companies to inform stakeholders of a breach without regulatory mandates - an option that helps protect reputation and maintain customer trust.
"It helps protect the insured's reputation," Klein said. "Building trust and maintaining that trust and continued business."
Coverage has also expanded to include breaches from non-tech vendors, as the interconnectedness of business ecosystems becomes more apparent.
"We've seen an expansion in recent years to breach of non-technology vendors," he said. "As businesses have evolved, there's also an exposure that carriers can contemplate."
For industries where even a day offline can cost millions, risk evaluation tools are now more advanced and accessible than ever. Klein pointed to the growing availability of real-world vulnerability reports, ransomware cost estimates, and industry benchmarking.
“We have numerous tools - general benchmarking and education, ransomware exposure calculations,” he said. “These are not utilized on a penetration testing basis but are meant to be tools, so the clients are aware of the exposures.”
These tools aren’t just for annual insurance renewals. Klein urged companies to review their cybersecurity posture at least once a year, and many insurers now include these assessments as part of their service.
Ultimately, the threat landscape demands more than passive awareness. Klein warned that executive indifference is as dangerous as the attacks themselves.
“The entirety of the C-suite and board needs to be at least aware,” he said. “Being aware of all the exposures is extremely important.”
The views and opinions expressed in this article are those of the author and, where applicable, those of the sources quoted. Any quotes provided herein were done so in that person’s individual capacity and do not represent the views of their employer, colleague, client, family member, or any other person or institution—past, present, or future.
