While a business can never totally eliminate risk, there are three things which can be done about the risk: (1) Mitigate the risk, (2) accept the risk, or (3) transfer the risk. Larger companies have greater resources and access to skilled staff to document, assess and mitigate cybersecurity risks. Smaller businesses may too often, by default and lack of proactive action, accept those risks. Purchasing cyber-insurance transfers the risk to a third party, yet still requires effort and planning to be an effective investment.
Like traditional insurance which protects the businesses from natural disasters such as fire or flood, cyber-insurance can provide financial protection which could make the difference between business survival or failure. Some of the coverage available from a business cyber-insurance policy may include coverage against hacking, data destruction, loss of business as well as human actions such as errors or negligence by an employee. Recovery expenses and in some cases help with managing public relations and legal issues caused by an incident can be features of cyber-insurance policies. However, simply purchasing business cyber-insurance is not as simple as chucking the risk over the fence. Most policies will have exclusions and it is important to understand these by reading the policy carefully as well as acutely understanding the limits of coverage. The insurance carrier will also exercise diligence to understand the risk they are undertaking when setting the premiums It is also important to be prepared and to implement a set of best practices.
The insurance carrier will want to understand and evaluate: (1) impact, (2) likelihood, and (3) frequency of the insured risks. Understanding impact to the insurer is determining the amount they could potentially be required to pay out in the event of a claim. Likelihood and frequency are dependent on several factors, among them the type of business, which determines a risk profile, the attack surfaces of the business, meaning the extent of exposure, and most importantly, the mitigation efforts applied by the proposed insured.
For some of those factors, the insurance company will look to statistical data, which may be outside the control of the business seeking insurance. Among them are general risk exposure related to a particular industry, size of the business, any previous loss and claim history, years in business, etc. The company’s financial condition will also be a factor in the underwriting decision.
Areas where a business can have measurable impact on the potential premium costs are things such as any use of outsourced IT providers, third party dependencies, and any standards and best practices implemented.
Some industries subject to compliance regulations will already have a framework of controls to implement. Frameworks such as HIPAA apply to healthcare as well as any company doing business with a covered entity and subject to a business associate agreement. PCI will also affect companies processing or storing payment card data. The insurance underwriter will likely be interested in seeing the audit results from either external auditors, self-assessment, or both.
For businesses not already subject to a compliance standard, there are several resources to help implement a reasonable and effective set of security practices:
Center For Internet Security
The Center for Internet Security provides an excellent set of controls as well as self assessment tools. The control framework also has supplemental material for mobile devices and privacy. Registration is required for access and once registered, a download link is sent via an email where the material can be downloaded for free. See https://www.cisecurity.org/
The Cybersecurity Framework (CSF) grew out of Presidential Executive Order13636 in 2013 aimed at improving the critical cybersecurity infrastructure. The CSF can be downloaded from the NIST.gov website at: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf. The NIST website also has other useful tools which can be downloaded free of charge such as the Framework Core, available as an Excel workbook, and the CSF Reference Tool.
ISO 27001 is considered by some to be the “gold standard” of security frameworks and is a global standard recognized internationally. Companies implementing ISO 27001 can elect to be audited and receive certification attesting to their compliance with the standard. Certifications under the ISO 27001 standard are subject to renewal and subsequent audits. The downside is that obtaining a copy of the standard is not free. Materials can be obtained from the American National Standards Institute or from British Standards Institute for a reasonable fee.
For companies who outsource their IT functions to third party suppliers, it is essential to demonstrate that the vendors and suppliers are held to the same standards as are applied internally. Take for example the situation with business associate agreements under HIPAA. As covered entities are required to have business associate agreements in place with their suppliers, so too are those business associates and on down the chain.
Any business who outsources essential functions to a third party needs to have an agreement in place specifying the expectations and responsibilities of the parties, as well as the consequences for failure. These agreements should also include a right to audit or to receive a copy of the vendor’s third party audit report. Utilizing a third party can be perceived as a net plus or a net minus, with one of the determining factors being the level of controls and validations of those controls incorporated into the contractual relationship.
Business cyber-insurance is a useful and necessary method of addressing cybersecurity risk. However, it is not something a business imply “buys” and forgets. A thorough self assessment and control methodology are necessary before engaging an insurance carrier, as well as during the underwriting phase and after the policy is in place. The level of effort and consistency will have an impact on the premiums paid, and quite possibly on the payments for any subsequent claim.