Cyber Security Practices Insurance Underwriters Demand by Natalie Lehr
Insurance underwriters aren't looking for companies impervious to risk. They want clients that understand the threat landscape and have demonstrated abilities to mitigate attacks.
With security breaches on the rise, IT professionals spend a lot of time questioning what kinds of cyber risk their companies’ insurance policies will cover. However, as those policies quickly move from optional to necessary, insurance companies are the ones asking the hard questions.
Before underwriters give the green light to cyber liability coverage, they want to see proof of insurability. That doesn’t mean they’re looking at your actuarial risk. To the contrary, regardless of past history, virtually every company today is susceptible to hacking or insider threats. That is the new reality. Therefore, insurance companies are focusing on factors beyond historic risk to inform their decisions.
When you seek out cyber insurance, underwriters will ask that you demonstrate your insurability as part of the pre-binding due diligence process. Doing so involves three primary factors:
Your understanding of cyber risk
The days when cyber risk was considered an IT problem are over. Today, cyber risk is an issue your entire business must address. In order to demonstrate that your organization fully understands the scope of cyber risk, evaluate it in a holistic manner. Consider the many directions from which an attack might come, the many forms it might take, the many information assets it might target, and the many motives that might spur it. Possibilities might include:
- A hacker group that views your company as an attractive political target
- A trusted insider who could be enticed to sell your intellectual property to a competitor
- One of your third-party service providers that is vulnerable to a malware attack, which could also expose your customers’ personally identifiable information
Savvy companies know that the risks come in many forms, so be ready to explain what policies and tools you have in place to address a variety of threats.
Your ability to mitigate a cyber attack
The ultimate goal for any security strategy is to prevent an attack from occurring in the first place, but unfortunately that’s not entirely reasonable. The next best thing is to minimize the harm it causes. No company is entirely inoculated from risk, but those that are prepared for it in advance suffer less. To prepare, your company needs to understand the threat landscape outlined above. That means assessing real-time risk across the entire ecosystem of your business: upstream, downstream, and inside your own organization. Unless you’re evaluating your weaknesses in a holistic manner, you won’t convince an insurer of your ability to identify an attack, never mind stop one.
You’ll need to show underwriters that you’re serious about security by conducting a holistic risk assessment before you face any known threats. Gather intelligence about which assets are your highest priorities, and which are most exposed. Then, align your security investments and resources to address those vulnerabilities. This can include a combination of perimeter and end-point solutions, and should incorporate extensive employee training. Showing that your organization has a strong cyber security culture goes a long way toward establishing security maturity.
Your likelihood of returning to business operations quickly
Cyber insurers know that your business is at risk -- all businesses are. However, you can increase your organization’s chances of receiving a policy by demonstrating cyber resilience. Do this by adopting mature security practices, continuously assessing risk, and creating a plan for business continuity during and after an attack. This is of great interest to cyber insurance underwriters, who want to see that you can stem data loss, protect your brand, and retain customer loyalty, even after an attack. All parties will benefit from an organization’s ability to mitigate risk, shorten attacks, and get back to business quickly, thereby reducing losses.
Insurance underwriters aren’t looking for clients that are impervious to cyber risk. There are no longer any companies that fall into that category, unfortunately. What they are looking for are businesses that understand the threat landscape and their own risks and have established a cyber security culture demonstrated through mature security practices. As you seek out the most beneficial cyber insurance policy your company can find, be prepared to prove that your organization is committed to not only improving its cyber security company-wide, but also to reducing data and financial loss resulting from an attack.
Natalie Lehr is co-founder and Vice President of Analytics at security consultancy TSC Advantage . With more than 15 years of experience as an intelligence professional, her expertise spans both the government and commercial sectors. Her work for the US government includes ... View Full Bio