Know the Answers to These 5 Questions Before You Get Cyber Insurance
By Dr. Rey LeClerc Sveinsson, ERMProtect
Before you get cyber insurance, your insurance carrier will likely conduct a cyber insurance risk assessment on your company. This is an overview to identify the risk areas and security gaps that your company faces. A cyber insurance risk assessment considers not just technology but also company protocols and daily employee procedures that may create a security risk.
The risk assessment benefits both the insurance carrier and the company it is assessing. Insurance carriers gain the knowledge needed to underwrite the risk appropriately. A business with many areas vulnerable to security breaches will be at higher risk – and incur a higher premium – than a company with fewer issues.
The assessment also benefits the company because the insurer provides a checklist to help pinpoint vulnerable areas. With this information, the company can take measures to reduce or eliminate risks. Shoring up exposed systems and processes may prevent hacks and breaches while reducing the premiums the business has to pay the insurer.
Cybersecurity Liability Insurance
The following are five questions that, if answered truthfully, should give an underwriter a good indication of a company’s security maturity and risk level. However, it does not exempt the underwriter from doing a more in-depth review.
Do you have an independent party reviewing, at least annually, the effectiveness of your technical and organizational security controls and related processes? If no, please explain what you do instead to gain and maintain security assurance.
A good answer: "Yes, a third party reviews the effectiveness of our technical and organizational security controls and related processes. This includes SOC 2, ISO 27001 and penetration testing."
Rationale: Conducting periodic assessments of the company's information security and risk management maturity will help baseline its strengths, identify its deficiencies, and programmatically plan and execute its remediation activities. For example, periodic penetration tests evaluate IT security by simulating attacks that identify vulnerabilities so they can be remediated. A SOC 2 audit report provides detailed verification and assurance related to an organization’s systems for processing, transmitting, and storing information.
Do you have an overview of the critical information of the company and is this information adequately protected end-to-end? If no, please explain how the critical data is protected and what controls are implemented.
A good answer: "Yes, we have identified our critical information assets and procedures to classify systems and information that is stored, processed, shared, or transmitted with respect to the type of data (e.g., confidential, or sensitive) and its value to critical business functions. Adequate controls are in place."
Rationale: Identifying critical information assets is always the first step in the risk management process. Conducting a data mapping exercise helps the business scope the data access and sharing rules with its partners and suppliers. Once mapping is complete, a data classification program is an extremely important first step to building a secure organization. Classifying data is the process of categorizing data assets based on nominal values according to its sensitivity. By classifying data, the company can prepare generally to identify the risk and impact of an incident based upon what type of data is involved.
Do you have organizational and technical controls in place to timely detect, respond and react to a cyber-incident, including cross-functional incident response structure and processes? If no, please explain the controls and processes implemented to detect and prevent cyber-incidents.
A good answer: "Yes, incident response policies and procedures consistent with applicable laws and state policies are in place. These include but are not limited to identification of roles and responsibilities, investigation, containment and escalation procedures, documentation and preservation of evidence, communication protocols, and lessons learned."
Rationale: An incident response plan is something that every organization should have in place to react effectively to a data breach. An incident response plan should be developed that includes the following actions:
- Identify the potential incident
- Respond to the incident in a timely manner
- Assess the situation, analyze the severity of the incident
- Notify the appropriate parties about the incident
- Take appropriate measures to protect sensitive data and minimize impact
- Organize, prioritize, and escalate the incident response activities accordingly
- Prepare for adequate business recovery support in the wake of any damage caused in the interim
- Review process, make necessary adjustments to prevent future similar incidents and improve the way they are handled
The plan should also address how the organization will carry out a digital forensic investigation to identify the root cause of a breach, so it can be contained and remediated. Organizations may want to identify in advance a good digital forensics services company and place it on retainer to ensure a rapid response by professionally trained digital forensic investigators.
Do you provide regular security awareness trainings and activities to make employees aware of cyber risks and how to protect critical information? If no, please explain how you make employees aware of cyber risks.
A good answer: "Yes, security awareness training is provided to all employees and contractors on an annual basis that addresses acceptable use and good computing practices for systems they are authorized to access. Content of training is based on the company’s policies such as privacy requirements, virus protection, incident reporting, Internet use, notification to staff about monitoring activities, password requirements, and consequences of legal and policy violations."
Rationale: The behavior of employees with access to data affects information systems and assets. Employee and contractor behavior is the primary source of costly data breaches. Security Awareness Training of employees and third-party contractors is the best way to prevent loss. Remember: The best way to achieve a significant and lasting improvement in information security is not by throwing more technical solutions at the problem — it is by raising security awareness and educating everyone who interacts with computer networks, systems, and information.
Do you have a governance structure in place that ensures that security controls are regularly assessed against the fast-changing threat environment and that the controls get adapted accordingly? If no, please explain how you keep up with the fast-changing environment.
A good answer: "Yes, Information security governance is the responsibility of the board of directors and senior management. It is an integral and transparent part of enterprise governance and aligned with the IT governance framework. To exercise effective enterprise and information security governance, boards and senior management have a clear understanding of what to expect from the enterprise’s information security program. They know how to direct the implementation of an information security program, how to evaluate its status, and how to decide go forward strategy and objectives of an effective security program."
Rationale: Information retention and privacy regulations, coupled with significant threats of information systems disruptions from hackers, worms, viruses and terrorists, have resulted in a need for a governance approach to information management. The governance structure must help prioritize risks and provide support when more resources are required to protect the organization. The board may want to consider periodically retaining an independent cybersecurity firm to perform a comprehensive risk assessment to guide its governance efforts.
The structure of the security governance body can vary widely depending on the structure and size of the organization. However, it is common that representatives come from these organizational departments: legal, human resources, compliance, internal audit as well as information technology and security. This helps create an environment where every department feels it has a role in creating security policy. The Chief Information Security Officer (CISO) can use this governance body as a platform to discuss risks and build support to move difficult information security decisions forward. The governance body helps the CISO preserve political capital and increase political influence, which is critical in driving the information security policy.
Working with Cyber Insurance and ERMProtect
ERMProtect can help your organization elevate its cybersecurity posture before getting cyber insurance. We leverage 25 years of experience in cybersecurity to secure your data, protect your business, and manage costs and risk. For more information, call 305-447-6750 or email us at [email protected].
Get a curated briefing of the week's biggest cyber news every Friday.
Turn your employees into a human firewall with our innovative Security Awareness Training.
Our e-learning modules take the boring out of security training.
Intelligence and Insights