In Part One, we defined the term “cyber insurance” and briefly discussed some of the challenges in getting affordable, right-sized coverage. Here in Part Two, I’ll touch on a few of the ways organizations are effectively communicating the efficacy of their security programs to negotiate the best possible insurance coverage.
Most cyber insurance companies are still trying to figure out how to price polices for their customers. Lately, I’ve had several conversations with corporate CISOs who lament the filling out of generic questionnaires about their security program technologies and controls they have in place. One CISO told me “I’m getting dinged if I don’t affirm that I have VPN for all remote employees” when most security practitioners agree that more modern, scalable solutions are being deployed to remote user environments. This “check box” approach neither considers emerging or creative control solutions nor demonstrates an understanding of a specific business’s operational model.
How are organizations successfully winning this battle?
First thing to do is map your security controls to the NIST CSF or CIS Top 18 frameworks. Most security programs do this already but use your mapping/recent assessment as an educational tool with your broker to demonstrate you have coverage across the major control points. In the example above, VPN is clearly a “Protect” function in the NIST CSF, but there are other ways organizations are protecting remote connections to corporate resources and you should be able to get credit for that even if it’s not the exact technology they are looking for.
Next, be sure you can identify where your sensitive data resides (both structured and unstructured) and the approximate volume of records you are placing most of your security controls around. This confidence displayed to your insurer will help them quantify potential loss if a breach were to occur and help ensure the most accurate quotes on coverages.
Lastly, make sure you have integrated your security risk management efforts into your overall IT risk management program. While security risk typically drives cyber security insurance costs, I’ve seen convincing IT risk management programs that show strong change management, data management, in-house development activities, and other broader IT functional controls that have helped significantly reduce the overall cost of cyber insurance coverage.
In this multipart series, we’ll continue to discuss how organizations can reduce their risk factors of breach exposure and make credible and supporting evidence arguments to insurers for right-sized and fair insurance premiums.
To learn more about cyber insurance, click here.