October 30–31, 2016: Training
October 31–November 2, 2016: Tutorials & Conference
New York, NY

No single answer: Balancing cybersecurity insurance and a strong security program

Mark Stanislav (Duo Security), Nick Merker (Ice Miller LLP)
4:45pm–5:25pm Wednesday, 11/02/2016
Bridging business and security
Location: Mercury Ballroom Level: Beginner
Average rating: *****
(5.00, 1 rating)

What you'll learn

  • Understand what cybersecurity insurance is, how coverage varies from policy to policy, where cybersecurity insurance provides value to an organization, and when it makes sense to purchase cybersecurity insurance
  • Learn what defensive controls are required by cybersecurity insurance policies and how they align with a strong security program
  • Discover where organizations should spend their money to mitigate their real-world risks for needing to even file a claim about a cybersecurity insurance policy


Information security has now moved beyond compliance and IT due diligence and into the direct concern of top corporate executives and their legal teams. Boards of directors, CEOs, and others are more in tune with the gaps in their organizations’ information security programs than ever before and are looking for ways to mitigate the risk these gaps create.

Insurers have come to the table with a new product to try to fill the market need: cybersecurity insurance. These policies are drafted to cover losses associated with cybersecurity incidents, including forensic costs and legal fees.

While cybersecurity insurance sounds great at a high level, are businesses truly aware of whether or not they provide actual benefit? Do organizations understand how cybersecurity insurance plays with—or doesn’t—contractual obligations pushed down from their customers? Should businesses be focusing more on proactive security safeguards to avoid an incident and less on reactive solutions designed to save cost?

Mark Stanislav and Nick Merker merge the worlds of information security and law to give a direct analysis of what businesses are getting right and wrong when it comes to security programs and how they can be more prepared to succeed—with or without insurance policies on hand. Mark offers his perspective on often overlooked or underutilized defensive techniques that can provide true security value for less than a cybersecurity insurance deductible, gained from helping build security programs for organizations, and explores how his customers deal with the subject of cybersecurity insurance. Nick then speaks to the legal technicalities of cybersecurity insurance, sharing what businesses should know, the pros and cons of these types of policies, and some public stories of coverage success and failures.

Come join Mark and Nick as they dive into the nascent world of cybersecurity insurance, relating stories of success and failure and providing guidance to strengthen organizations, with the goal of making insurance policies your last line of defense.

Photo of Mark Stanislav

Mark Stanislav

Duo Security

Mark Stanislav is the Director of Application Security for Duo Security. Mark has spoken internationally at over 100 events, including RSA, DEF CON, SOURCE Boston, Codegate, SecTor, and THOTCON. Mark’s security research and initiatives have been featured by news outlets such as the Wall Street Journal, the Associated Press, CNET, Good Morning America, and Forbes. Mark is the cofounder of the Internet of Things security research initiative BuildItSecure.ly. He is also the author of Two-Factor Authentication. Mark holds a BS in networking and IT administration and an MS in technology studies focused on information assurance, both from Eastern Michigan University. During his time at EMU, Mark built the curriculum for two courses focused on Linux administration and taught as an adjunct lecturer for two years. Mark holds CISSP, Security+, Linux+, and CCSK certifications.

Photo of Nick Merker

Nick Merker

Ice Miller LLP

Nick Merker is a partner and cochair of Ice Miller’s Data Security and Privacy practice. With almost a decade of hands-on, prelegal computer systems, network, and security experience in the public and private sector, Nick bridges the gap between information technology and the law. Privacy law and technology are both constantly changing; Nick assists clients by analyzing laws against emerging technology and preparing clients to address regulatory and contractual audits, customer expectations, and assessment of risk. Nick also strives to educate others on trending privacy issues. He is a member of the faculty at the International Association of Privacy Professionals, where he leads privacy training across the globe to executives, engineers, lawyers, and managers. Nick teaches a Data Security and Privacy Law course at the Robert H. McKinney School of Law at Indiana University and is a frequent author and speaker on privacy issues at conferences and in multiple publications. Nick holds CISSP and CIPT certifications.

Comments on this page are now closed.


Sana Khan Sana
07/10/2016 2:31am EDT