Although the boundaries of cyber risks are fluid, the potential impact of this fluidity can be devastating. In today’s world, Cyber Security Insurance coverage is crucial for businesses that heavily rely on information systems and emerging technologies. Any serious business owner must protect their business while complying with regulatory requirements. Cyber insurance also comes in handy to assure potential investors and essential business stakeholders of a company’s viability. To secure the best-fit cover for their business, owners must clearly articulate their risk landscape and the likelihood of its occurrence. However, for the most competitive pricing, preparation makes all the difference. If you are a business owner, this article provides general guidance to prepare for coverage that suits your unique cyber security needs.
Cyber Security Risk Assessment
Insurance is a key mitigation against cyber security exposures. You are responsible for ensuring sufficient preventive controls to protect your critical information assets. Conducting a Risk Assessment enables your insurer to understand the potential risk they need to cover in your policy. Typically, a self-assessment, an independent assessment, or an assessment by your insurer’s risk officer determines the score of your exposures. This exercise is a sine qua non for all insurance covers and forms the basis of the risk premium your insurer would place on your business. Some of the essential Cyber Security Controls that must be in place to protect your information assets are.
Cyber Security Governance:
Your insurer would want to know how Cyber Security governs your organisation. Apart from having current and approved cyber security and other related policies, standards and procedures in place, the assessment requires insights into the accountability of cyber security in your organisation and the size of your cyber security resources. Depending on your potential exposure, assessing the level of your Board of Director’s involvement in Cyber Security Management is prudent. Your Board may want to know about your Managed Security Service Provider (MSSP) and the related contracting arrangements if you outsource your security.
Data Protection and Records Management:
The types and quantities of information your organisation processes are crucial for determining the risks your company faces. Your insurer would ask if your business acquired, processes, stores, and communicates Personal Identifiable Information (PII), Protected Health Information (PHI), etc. For example, intellectual property, trade secrets and classified information, payment card information, research, and development materials, etc. Your insurer may want to know if you have industry standard certifications to handle specific data types where applicable (e.g., PCI DSS, NIST, SANS 18, etc.). Finally, demonstrating best practices for protecting data from acquisition to disposal could earn you significant savings in your insurance premium.
Vulnerability and Patch Management:
Because of the fluidity of cyber risks, a process must be in place to identify and remediate vulnerabilities in software and hardware environments on an ongoing basis. Effective vulnerability and patch management are essential controls for preventing the exploitation of vulnerabilities and, hence, cyber incidents. During the risk assessment process, the insurer will score you based on the strategies for managing exposures from the identification, cataloguing, remediation, and monitoring. Your insurer will use this evaluation to create your risk profile.
Malware and Phishing Defenses:
The insurer will also evaluate your malware and phishing defences. Without these, you are most vulnerable to malware attacks and other cyber incidents such as phishing, pharming, smishing, vishing, ransomware, virus attacks, etc.
Perimeter and Internet Defences:
Your insurer may want to assess what defences you have in place to protect your externally exposed assets to determine your attack surface. The assessment includes understanding your ability to filter incoming and outgoing communications to ensure that only permitted traffic is allowed.
Others:
In addition to the above, other areas of risk assessments for cyber insurance coverage may include an evaluation of your Cyber Security Awareness Programme. Cyber awareness is the most highly recommended tool in fighting cybercrimes. Your insurance company will also evaluate your processes for managing third-party and service providers, privileged and service accounts management, Identity, Credential and Access Management, software and hardware inventory management, and Security Incident and Event Management (SIEM). In addition, Data Security and Business Continuity management are also critical areas to consider in any cyber insurance risk assessment process.
Whether it is for cyber insurance cover or not, it should now be apparent that risk assessments also provide important dipstick tests of our strengths and weaknesses. They are not only meant to measure cyber risk profile or price your risk premium for any insurance cover. They represent a significant introspection to the insured business’s preparedness to prevent cyber risks by aligning your defences to proven standards and helping businesses combat cyber risks holistically. In conclusion, let us reiterate the need for risk assessment with a quote from Sun Tzu in The Art of War, “If you know the enemy and know yourself, you need not fear the outcome of a hundred battles. If you know yourself but not the enemy, for every victory gained, you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
Wahab Adams (CISA, CGEIT, CRISC) is the Group Head of IT at Hollard Ghana
