free counter

Security Think Tank: Dont depend on insurance alone

Cyber insurance is really a useful addition to the cyber protection toolbox. However, it can’t be seen as a alternative to the controls that needs to be functioning, says Turnkey Consultings Tom Venables

Tom Venables


Published: 27 Jul 2022

Its news to no-one that cyber attacks have increased in frequency, maturity and impact in the last couple of years and the threat landscape is continuing to grow significantly and continues to take action. Knowing that, its most likely not surprising that the cyber insurance market has already established to evolve rapidly.

Notably, recently, insurers have paid on a reasonably large percentage of claims all over the world. This is right down to an evergrowing maturity model that sees them forensically investigate a breach and understand its root causes to accurately define the policies and protections set up insight which allows appropriate compensation to be determined precisely.

With an increase of maturity being introduced to the cyber insurance standards that require to be met, we have been seeing companies getting hot on the related processes. Simple questionnaires have already been replaced by detailed investigations in to the control mechanisms that organisations have implemented. For instance, rather than simply asking if they take part in security and awareness training for staff, insurers may choose to understand how regular that is, how it really is refreshed and what mechanisms come in spot to test that training works well.

Organisations expect premiums to be adjusted relative to the controls they will have implemented to mitigate risk. Quite simply, a high degree of risk management will potentially lower the premium paid.

Here insurers may lend a helping hand by giving usage of cyber-risk consultancy services within their policy to greatly help customers manage their risks of this type. This practical assistance can be extremely valuable, specifically for small and medium-sized enterprises (SMEs), giving insight into fundamental controls that companies should get right.

These controls range between training on effective security awareness and guarding against internal phishing, to gain access to governance, vulnerability management, security operations and effective management of identities, especially privileged, to mention but several.

But despite having insurance against attacks set up, companies can’t be passive bystanders. As the very least, they have to understand both risks to the organisation and the controls they’re operating in this space, as this may inform the expense of insurance, how big is potential liabilities, as well as the residual risk that is not included in policies.

For instance, an organization that operates software-as-a-service (SaaS) solutions with respect to customers may, as a processor of others data, carry greater risk than an enterprise that runs hardly any direct data processing activities, with the effect that its liability insurance is greater. In an identical vein, an organization with immature controls may present a larger risk than one with controls which are mature and well executed, therefore the latter would pay a lesser premium.

Simultaneously, a tick-box approach must be avoided. The mandatory products and implementations have to be accompanied by a knowledge of these role and dedication to the right set-up and usage if they’re to seriously tackle risk.

Check all the facts

Organisations should also be clear on which the policy includes. Some may cover the breach itself, for instance, however, not pay the expenses associated with dealing with that breach.

Going for a ransomware attack against an integral database being an illustration, the insurance coverage might cover the ransom (if paid), however, not losses like the costs incurred in restoring services, associated with the downtime due to business operations being interrupted, and the actions necessary to restore brand reputation.

Alternatively, malware risks could be part of an insurance plan, but data exfiltration or privacy breaches might not be covered, so it’s essential to know how well protected the organisation is by its policy.

Insurance will not equal risk mitigation

Security could be a victim of its success. Undertaken well, remedial action is not needed, so that it goes unnoticed, making negotiating devote to security difficult at the very best of that time period. Therefore, another a key point to take into account by security professionals handling cyber insurance may be the organisational inertia that this issue can induce. If the perception at board level is that the insurance covers the chance, it could be difficult to justify shelling out for the required controls.

However, you can find activities which can be undertaken to minimise risk to other insurance. Taking auto insurance for example, someone might insure their car, but nonetheless obey the speed limit, wear a seatbelt and steer clear of drinking and driving, etc. Basically, despite being insured, they take additional precautionary measures to guarantee the risk to the automobile (the asset) is kept to the very least.

Applying this principle to cyber insurance, security professionals have to concentrate on understanding the chance to the organisation. They have to know the info assets that want protecting, how those assets could be vulnerable and what controls must decrease the risk. Databases might all have up-to-date patching, but if one supports a business-critical application, such as for example controlling a production line, it could be more critical in case of a ransomware attack.

It is very important use the CISO (or equivalent) to comprehend these elements and also possible, because that is all information that the insurer will enquire about.

In addition they have to implement controls to greatly help mitigate risk from access governance, to penetration testing within effective vulnerability management, to cyber security training and awareness. These will undoubtedly be taken into account by an insurer when defining the policy and how big is the premium.

Several controls aren’t operated by the IT department security training to mitigate a cyber risk of security, for instance, might come beneath the jurisdiction of HR therefore the IT security team must work with the entire business to document them.

Insurance will not replace controls

To conclude, cyber insurance is really a useful addition to the cyber protection toolbox. However, it can’t be seen as a alternative to the controls that needs to be in operation to handle the serious risk that cyber attacks pose to any organisation.

Read more on Regulatory compliance and standard requirements

Read More

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker