Cyber Security Insurance Underwriters Demand their Clients Understand the Threat Landscape

Uploaded on 2015-01-09 in NEWS-News Analysis, BUSINESS-Services-Financial

Insurance underwriters aren't looking for companies impervious to risk. They want clients that understand the threat landscape and have demonstrated abilities to mitigate attacks.

With security breaches on the rise, IT professionals spend a lot of time questioning what kinds of cyber risk their companies’ insurance policies will cover. However, as those policies quickly move from optional to necessary, insurance companies are the ones asking the hard questions.

Before underwriters give the green light to cyber liability coverage, they want to see proof of insurability. That doesn’t mean they’re looking at your actuarial risk. To the contrary, regardless of past history, virtually every company today is susceptible to hacking or insider threats. That is the new reality. Therefore, insurance companies are focusing on factors beyond historic risk to inform their decisions.

When you seek out cyber insurance, underwriters will ask that you demonstrate your insurability as part of the pre-binding due diligence process. Doing so involves three primary factors:

Your understanding of cyber risk The days when cyber risk was considered an IT problem are over. Today, cyber risk is an issue your entire business must address. In order to demonstrate that your organization fully understands the scope of cyber risk, evaluate it in a holistic manner. Consider the many directions from which an attack might come, the many forms it might take, the many information assets it might target, and the many motives that might spur it. Possibilities might include:

  • A hacker group that views your company as an attractive political target
  • A trusted insider who could be enticed to sell your intellectual property to a competitor
  • One of your third-party service providers that is vulnerable to a malware attack, which could also expose your customers’ personally identifiable information   

Savvy companies know that the risks come in many forms, so be ready to explain what policies and tools you have in place to address a variety of threats.
Your ability to mitigate a cyber attack The ultimate goal for any security strategy is to prevent an attack from occurring in the first place, but unfortunately that’s not entirely reasonable. The next best thing is to minimize the harm it causes. No company is entirely inoculated from risk, but those that are prepared for it in advance suffer less. To prepare, your company needs to understand the threat landscape outlined above. That means assessing real-time risk across the entire ecosystem of your business: upstream, downstream, and inside your own organization. Unless you’re evaluating your weaknesses in a holistic manner, you won’t convince an insurer of your ability to identify an attack, never mind stop one.

You’ll need to show underwriters that you’re serious about security by conducting a holistic risk assessment before you face any known threats. Gather intelligence about which assets are your highest priorities, and which are most exposed. Then, align your security investments and resources to address those vulnerabilities. This can include a combination of perimeter and end-point solutions, and should incorporate extensive employee training. Showing that your organization has a strong cyber security culture goes a long way toward establishing security maturity.

Your likelihood of returning to business operations quickly Cyber insurers know that your business is at risk -- all businesses are. However, you can increase your organization’s chances of receiving a policy by demonstrating cyber resilience. Do this by adopting mature security practices, continuously assessing risk, and creating a plan for business continuity during and after an attack. This is of great interest to cyber insurance underwriters, who want to see that you can stem data loss, protect your brand, and retain customer loyalty, even after an attack. All parties will benefit from an organization’s ability to mitigate risk, shorten attacks, and get back to business quickly, thereby reducing losses.

Insurance underwriters aren’t looking for clients that are impervious to cyber risk. There are no longer any companies that fall into that category, unfortunately. What they are looking for are businesses that understand the threat landscape and their own risks and have established a cyber security culture demonstrated through mature security practices. As you seek out the most beneficial cyber insurance policy your company can find, be prepared to prove that your organization is committed to not only improving its cyber security company-wide, but also to reducing data and financial loss resulting from an attack.

« Google faces US privacy suit over user data policy
MI5 seeks new powers after Paris magazine attack »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Vanguard Integrity Professionals

Vanguard Integrity Professionals

Vanguard Integrity Professionals is an independent provider of enterprise security software solutions that address complex security and regulatory compliance challenges.

Emerging Payments Association (EPA)

Emerging Payments Association (EPA)

The Emerging Payments Association (EPA) is a commercial membership association of payments industry influencers.

BlueID

BlueID

BlueID is an IDaaS technology product which enables your objects to securely connect and interact with your users’ smart phones and smart watches.

Mission Secure (MSi)

Mission Secure (MSi)

MSi is a specialized provider of next generation cyber defense solutions protecting control systems and critical physical assets in energy, transportation and defense.

Custodio Technologies

Custodio Technologies

Custodio Technologies was established as a Singaporean R&D Centre of Israel Aerospace Industries (IAI) in order to spearhead R&D activities in the field of cyber early warning.

Women in CyberSecurity (WiCyS)

Women in CyberSecurity (WiCyS)

Women in CyberSecurity (WiCyS) is a non-profit organization dedicated to the recruitment, retention and advancement of women in the cybersecurity field.

Cyber Covered

Cyber Covered

Cyber Covered provide complete website & data cover with market leading cyber insurance and powerful compliance software in one affordable package.

Eclypsium

Eclypsium

Eclypsium protects organizations from the foundation of their computing infrastructure upward, controlling the risk and stopping threats inside firmware of laptops, servers, and networks.

US Venture Partners (USVP)

US Venture Partners (USVP)

USVP is a leading Silicon Valley venture capital firm focusing on early-stage start-ups that transform cybersecurity, enterprise software, consumer mobile and e-commerce, and healthcare.

Cryptyk

Cryptyk

CRYPTYK CLOUD is the first complete enterprise-class cloud security solution that includes cloud storage and broad protection against all external and internal threats.

LiveAction

LiveAction

LiveAction provides end-to-end visibility of network and application performance from a single pane of glass.

Forta

Forta

Forta is a real-time detection network for security & operational monitoring of blockchain activity.

Stryve

Stryve

Stryve is a leading carbon-neutral provider of specialist cloud and cybersecurity services in Europe.

Nitel

Nitel

Nitel is a leading next-generation technology services provider. We simplify the complex technology challenges of today’s enterprises to create seamless and integrated managed network solutions.

CYMAR

CYMAR

CYMAR The “CYBER” Smart Solution to offer sustainability and bring resilience to Global SMART Terminals and protect the supply chain of the World’s economy.

Carahsoft Technology Corp

Carahsoft Technology Corp

Carahsoft Technology is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets.