Security Think Tank: Don’t rely on insurance alone
It’s news to no one that cyber attacks have increased in frequency, maturity and impact over the past few years and the threat landscape has grown significantly – and continues to do so. With that in mind, it’s probably not surprising that the cyber insurance market has had to evolve rapidly.
Notably, in recent years, insurers have paid out on a fairly large percentage of claims around the world. This is down to a growing maturity model that sees them forensically investigate a breach and understand its root causes to accurately define the policies and protections in place – insight that allows appropriate compensation to be determined precisely.
With more maturity being introduced to the cyber insurance standards that need to be met, we are seeing companies getting hot on the related processes. Simple questionnaires have been replaced by detailed investigations into the control mechanisms that organisations have implemented. For example, instead of simply asking whether they engage in security and awareness training for staff, insurers may want to know how regular this is, how it is refreshed and what mechanisms are in place to test that training is effective.
Organisations expect premiums to be adjusted in accordance with the controls they have implemented to mitigate risk. In other words, a high level of risk management will potentially lower the premium paid.
Here insurers may lend a helping hand by providing access to cyber-risk consultancy services as part of their policy to help customers manage their risks in this area. This practical assistance can be very valuable, especially for small and medium-sized enterprises (SMEs), giving insight into fundamental controls that all companies should get right.
These controls range from training on effective security awareness and guarding against internal phishing, to access governance, vulnerability management, security operations and effective management of identities, especially privileged, to name but a few.
But even with insurance against attacks in place, companies cannot be passive bystanders. As a minimum, they need to understand both the risks to the organisation and the controls they are operating in this space, as this can inform the cost of insurance, the size of potential liabilities, and also the residual risk which is not covered by policies.
For example, a company that operates software-as-a-service (SaaS) solutions on behalf of customers may, as a processor of others’ data, carry greater risk than an enterprise that runs very few direct data processing activities, with the result that its liability insurance is greater. In a similar vein, a company with immature controls may present a greater risk than one with controls that are mature and well executed, so the latter would pay a lower premium.
At the same time, a “tick-box” approach needs to be avoided. The required products and implementations need to be accompanied by an understanding of their role and a commitment to the correct set-up and usage if they are to truly tackle risk.
Check the small print
Organisations also need to be clear on what the policy includes. Some may cover the breach itself, for example, but not pay the costs associated with recovering from that breach.
Taking a ransomware attack against a key database as an illustration, the insurance policy might cover the ransom (if paid), but not losses such as the costs incurred in restoring services, relating to the downtime as a result of business operations being interrupted, and the activities required to restore brand reputation.
Alternatively, malware risks may be part of a policy, but data exfiltration or privacy breaches may not be covered, so it is essential to understand how well protected the organisation is by its policy.
Insurance does not equal risk mitigation
Security can be a victim of its own success. Undertaken well, remedial action is not required, so it goes unnoticed, making negotiating spend on security difficult at the best of times. Therefore, another key point to consider by security professionals handling cyber insurance is the organisational inertia that the topic can induce. If the perception at board level is that the insurance covers the risk, it can be difficult to justify spending on the necessary controls.
However, there are activities that can be undertaken to minimise risk to other insurance. Taking car insurance as an example, someone might insure their car, but still obey the speed limit, wear a seatbelt and avoid drinking and driving, etc. In other words, despite being insured, they take additional preventative measures to ensure the risk to the car (the asset) is kept to a minimum.
Applying this principle to cyber insurance, security professionals need to focus on understanding the risk to the organisation. They need to know the information assets that require protecting, how those assets may be vulnerable and what controls are required to reduce the risk. Databases might all have up-to-date patching, but if one supports a business-critical application, such as controlling a production line, it may be more critical in the event of a ransomware attack.
It is important to work with the CISO (or equivalent) to understand these elements as well as possible, because this is all information that the insurer will ask about.
They also need to implement controls to help mitigate risk – everything from access governance, to penetration testing as part of effective vulnerability management, to cyber security training and awareness. These will be taken into consideration by an insurer when defining the policy – and the size of the premium.
Many of these controls are not operated by the IT department – security training to mitigate a cyber security risk, for example, might come under the jurisdiction of HR – so the IT security team needs to work with the overall business to document them.
Insurance does not replace controls
In conclusion, cyber insurance is a useful addition to the cyber protection toolbox. However, it cannot be regarded as a replacement for the controls that should be in operation to address the serious risk that cyber attacks pose to any organisation.