This blog post originally appeared on the Green Cloud Defense blog. Green Cloud Defense was acquired by 11:11 Systems in.
This isn’t news… cyber attacks are becoming more than just an occasional threat. The frequency of attacks is increasing, with many of them leading to major data breaches. You no longer need to go back months to find large-scale attacks being reported. This year saw waves of attacks that affected hospital care, stalled America’s biggest gasoline pipeline, brought a huge meat supplier to its knees and devastated hundreds of managed service providers. These breaches cost companies millions of dollars in revenue, lost reputation and legal damages. Because of this, insurers are rethinking their coverage and addressing the shared responsibility model so they are enabled to properly assume these risks and hold policyholders appropriately accountable.
Cybersecurity Insurance is a type of insurance that protects employees when their data is compromised by a cyber attack. It also provides protection in the event of a physical attack on the workplace’s infrastructure or theft of trade secrets.
Insurers taking a closer look at how they will cover for cyber threats
In light of the increase in ransomware and other successful data breaches and attacks, it is not surprising that insurers are taking a hard look at whether or not they should be liable for damages. This is particulary true in cases where there is no physical damage to be covered by traditional insurance policies and less than adequate cyber defenses are put in place by policy holders. There is still a lot of uncertainty with what the future holds for those who were victims to hackers but experts say it’s only a matter of time before we see changes in how cyber insurance works.
Insurers are considering all possible ways that hackers may use cyber attacks to develop better underwriting standards for policies that can protect enterprises and their intellectual property from these attacks. A new change in underwriting will also come to the policy holder as there will be requirements to “beef up their own cyber defenses” and protection solutions according to Tom Reagan, Marsh McLennan’s head of U.S. cyber practice.
Cybersecurity insurance is at an inflection point but it is on pace to be a $3 billion industry. With this much money at stake, insurers will surely put in place tighter coverage standards and increase prices. Therefore, it is paramount that policyholders increase not only their cybersecurity solutions along the industry standards but, also, increase their awareness to this new and persisting threat.
You need to understand in detail what is not covered by your cybersecurity policy.
Policyholders must have discussions with their insurance providers
Gartner has reported that “Cybersecurity insurance is entirely a reactive product. It will not prevent a cybersecurity breach or immediately reduce the impact on the delivery of services to your end users. Therefore, you must continue to invest in your security program alongside your cybersecurity insurance considerations.”
Given the reactive nature for these new insurance offerings the policyholder needs to make sure they are compliant. This means companies and individuals need to follow compliance frameworks like CIS, NIST CSF or ISO 27001. Adhering to these standards can ensure that your company has proper processes and standards in place to address the overall risk.
These industry standard frameworks are designed to be easy for any organization of any size or level of security risk to adopt. The framework is not a rigid “checklist” – it is a tool that will help organizations identify and prioritize actions within their cybersecurity strategy based on the organization’s risk profile and industry. Together, with a properly executed insurance policy, you are protected as best as you can be in the event of an attack.
Tips for self-auditing and engaging your cyber insurance organization
You can use the below questions to self-audit and assess your cyber risk. This will help you to understand what your risk tolerance is and to make decisions for the amount of coverage required or risk to be transferred.
- Can you quantify the maturity of the security at your organization?
- Is your company prepared for an attack?
- How much will it cost to improve the security?
- What are the consequences if you don’t act?
- What is the likelihood of an attack happening in the next year or two?
- What are you doing to protect your data?
- What is the probability that your company will be hacked?
- What are the consequences if you are hacked?
- Do you have a business continuity plan in place?
- How far back does your company’s data go and how much of it is important?