Cyber-Insurance: Assess Risk, Policy & ObligationsBy Guest Author | Posted 2017-04-19 Email Print
Directors and executives are best-positioned to align cyber-insurance coverage with business objectives, asset vulnerability, third-party risk and other factors.
Review the Security Posture and the Threat Environment
Companies need to review their current security posture and threat environment on a regular basis. It’s also crucial to have mechanisms in place for continual improvement. The technologies involved in cyber-security threats and countermeasures are on a very steep growth curve, making it hard to predict what targets will be breached, how they will be infiltrated and why they are appealing to hackers.
Looking across the horizon, directors may find it useful to develop multiple breach scenarios, assess risk levels, and calculate the comprehensive cost of projected damages before cyber-insurance amounts are decided.
Currently, most policy premiums are based on self-assessments. The more accurate the information provided in your application, the more protected your organization will be. Most policies stipulate obligations the insured must meet in order to qualify for full coverage. These stipulations vary across insurance companies, so be sure to read the fine print and seek expert advisement.
If you’re not certain that your security measures fulfill these obligations, a professional security assessment can pinpoint areas in need of improvement. If you claim to be following specific security protocols, but a post-breach investigation finds that those protocols were poorly implemented, circumvented by employees, or insufficiently monitored and tracked, the insurer may deny or reduce coverage. If anything significant about your security program changes, be sure to notify your insurance provider immediately.
Likewise, the threat landscape is rapidly evolving. So review your policy details regularly to ensure they match the prevailing threat vectors and reflect the evolution of crimeware and dark web exploits. Cyber-insurance carriers will continually adjust their coverage offerings based on risk exposure and litigation outcomes.
As the industry matures, cyber-insurance policies will become more standardized, but for now, it’s an evolving product in a dynamic market. Boards and other executives need to keep an eye on industry trends and developments. Simultaneously, they need to maintain a high degree of visibility into their organization’s security program. Checking off compliance requirements, writing policies and purchasing security software isn’t sufficient.
The best way to ensure full claims coverage for a damaging data breach is to lead from the top: Ensure that risk assessments are thorough and up to date, policies are communicated and enforced, and security technology is properly configured, patched and monitored.
In an era in which the likelihood of a cyber-attack is high, turning a blind eye can have disastrous consequences. Cyber-insurance can soften the financial blows, but it works best in conjunction with an enterprisewide culture of security, a comprehensive risk management program and a carefully maintained security stance.
Greg Reber is the founder and CEO of AsTech Consulting, an information security consulting firm he started in 1997. Reber was among the first to recognize and address the risks presented by consumer-facing applications, and he launched AsTech Consulting to provide real-world information security solutions to Fortune 1000 companies.