Cyber insurance is not cybersecurity. But cyber insurance and cybersecurity, when combined, can provide a powerful combination of protection and risk management. Cybersecurity aims to prevent attacks before they happen. Cyber insurance not only pushes organizations to improve their cybersecurity and reduce their risk but, like any insurance, provides a financial backstop in case of a damaging loss. As the cyber insurance industry matures, it will push organizations to seek the best possible security, while aiming to reduce risk. When done right, it’s a win for organizations.
When selecting a cyber insurance provider, here are some tips to keep in mind:
1. Know with whom you are transacting business. The insurance industry is highly regulated. Only licensed insurance brokers can sell insurance policies. It is illegal for any third party to advertise, sell, or imply to sell insurance.
2. Be mindful of advice from “Top 10” type articles. They may be well-researched and well-intentioned, but only the insurance company can tell you what they require. The premiums are based on your overall risk posture and the amount of risk you seek to transfer to the insurance company.
3. Cyber underwriters rate your cyber risk. Your risk is calculated via actuarial data, predictive analysis, assessment results and lengthy questionnaires.
4. Be truthful on the questionnaires. If you check a box affirming that you have multi-factor authentication (MFA), for example, it’s not enough to only have a purchase contract and license for it. It must be installed, configured and functional.
5. Prioritize the review and updating of your cyber insurance documentation. This is especially important if you’re in a new cyber leadership role and/or are inheriting the environment, you may be bound to what your predecessor reported to the insurance company.
6. Know the rules of engagement. When should you engage the insurance company and what happens next? This is likely detailed in your policy. For example, does the policy include IRT services? If so, the cyber liability lawyer retained by the insurance company will action the rest of the team: Incident handlers, public relations, ransom negotiators, etc., and manage the incident on behalf of the insurance company.
7. Be clear on the role of cyber insurance. It is a limited financial compensating control to help offset the cost of a cyberattack. The constraints of your policy exist to mitigate the risk they are assuming for your organization. The better you manage your risk, the less risk you will need to transfer to the insurance company.
Through predictive analysis, cyber insurers can rate the probability, impact and likely cost of a cyberattack. They can produce lists of the security controls needed to avoid or limit such risk. Here are some of the most common security controls that insurers recommend:
1. Patch & device management – ensure you’re running supported code on supported devices.
2. Multi-factor authentication (MFA)
3. Identity awareness (IA)
4. Email and collaboration tool security
5. Zero-trust security platform
6. Reduce the number of security vendors and ensure appropriate integrations are implemented.
7. Choose security solutions with high catch rates. See value of a catch rate for details.
Consult your insurer for specific recommendations on the types of security controls they require. These recommendations are derived from the most common suggestions I’ve seen over the past few years.