Security Think Tank: Don’t rely on insurance alone

It’s no secret that cyber attacks have grown in frequency, sophistication and impact over the past few years and the threat landscape has grown exponentially – and continues to do so. With this in mind, it is perhaps not surprising that the cyber insurance market needs to evolve quickly.

In particular, in recent years, insurers have been paying more and more money around the world. This depends on the size of the sample that sees them legally investigate the violation and understand the causes to better explain the policies and protections in place – information that allows compensation to be determined better.

With more strictures being introduced on the cyber insurance standards that need to be met, we are seeing companies get heated up with similar measures. Simple questions have been replaced by detailed inquiries into the management systems that organizations have implemented. For example, rather than simply asking if they participate in safety and awareness training for employees, insurers may want to know how often this is done, how it is refreshed and what methods are used to test the effectiveness of the training.

Organizations expect the compensation to be adjusted in accordance with the conditions they have established to reduce risk. In other words, a high level of risk management can reduce the premium paid.

This is where insurers can help by offering cyber risk partnerships as part of their policies to help customers manage their risks in this area. This practical support can be very important, especially for small and medium-sized enterprises (SMEs), providing information on the improvements that all companies need to be successful.

This authority comes from well-informed security training and internal phishing protection, access controls, risk management, security services and proper management of information, especially access, to name just a few.

But even with insurance against risks, companies cannot be mere bystanders. At least, they need to understand the risks that the organization is dealing with and the controls that they are working on in this area, because this can inform the cost of insurance, the size of possible debts, and the residual risk that is not included in the policy. .

For example, a company that uses software-as-a-service (SaaS) solutions on behalf of customers may, as a third-party data processor, have a greater risk than a business that does less data processing, as a result. that his insurance is higher. Likewise, a company with less mature governance may present greater risk than one with more mature and well-regulated governance, so the firm may pay less.

At the same time, the “tick-box” approach should be avoided. The product and the necessary implementation must be accompanied by an understanding of their responsibility and a commitment to implementation and proper use if they are to address the risks.

Look at the small print

Organizations should also clarify what the policy entails. Others may cover the crime itself, for example, but not pay the costs associated with recovery.

Taking the threat of ransomware against a large database as an example, the insurance may pay the ransom (if it is paid), but not the losses such as the cost of restoring operations, related to downtime due to business interruption, and the work required to restore brand reputation.

Alternatively, the risk of malware may be part of the policy, but the loss of data or a breach of privacy may not be covered, so it is important to understand how the organization is protected by its policy.

Insurance is not the same as reducing risk

The defense may be suffering from that success. Effectively, maintenance is not required, so it is not known, which makes negotiating the cost of security difficult at the best of times. Therefore, another point to be considered by security professionals handling cyber insurance is the organizational inertia that the topic can create. If the board’s view is that insurance covers the risk, it may be difficult to justify spending money on necessary controls.

However, there are actions that can be taken to reduce the risk to other insurers. Taking car insurance as an example, someone can have their car insured, but still obey the speed limit, wear a seat belt and avoid drinking and driving, etc. In other words, even if they have insurance, they take some precautions to ensure that in the event of an accident the car (property) is limited.

Applying this principle to cyber insurance, security professionals must focus on understanding the organization’s risk. They need to know what information needs to be protected, how vulnerable the information is and what needs to be done to reduce the risk. All databases may have the latest patches, but if one is supporting a business-critical function, such as managing a production line, it may be more difficult in the event of a breach.

It is important to work with the CISO (or similar) to understand these things and how they can be done, because this is all that the insurer will ask.

They must also implement controls to help mitigate risk – everything from access controls, to penetration testing as part of a security strategy, to cyber security training and awareness. This will be taken into account by the insurer when defining the policy – and the size of the premium.

Most of these things are not controlled by the IT department – security training to reduce cyber risk, for example, may be under the control of HR – so the IT security team must work with the entire business to document it.

Insurance is not a substitute for controls

Finally, cyber insurance is another addition to the cyber security toolbox. However, it cannot be considered a substitute for the controls that should be in place to deal with the serious threat that cyber attacks pose to any organization.