[BreachExchange] A security professional's guide to cyber insurance

Audrey McNeil audrey at riskbasedsecurity.com
Wed Apr 27 19:22:44 EDT 2016


http://www.securityinfowatch.com/article/12200330/a-security-professionals-guide-to-cyber-insurance

With the cost and frequency of data breaches continuing to rise, the demand
for cyber risk insurance is also growing as more companies are looking for
protection against the financial damage of a major cyberattack. In fact,
the number of companies purchasing cyber insurance increased approximately
250 percent between 2013 and 2015, according to the Ponemon Third Annual
Study on Data Breach Preparedness.

Yet, as more companies look to purchase insurance coverage for this complex
and often nuanced area, they are faced with a patchwork of different
policies, price points and exclusions that must be carefully evaluated.
While responsibility for this task often falls to chief risk officers at
companies and the insurance brokers that advise them, cybersecurity
professionals must also play a key role in the process. These experts often
have the best knowledge of the major cyber security risks that should be
covered, as well as the protections that should be in place to prevent a
security incident. These insights are vital when engaging with insurers.

Ultimately, collaboration across functions is vital to successfully
selecting and managing a cyber insurance policy. The following are some of
the best practices and key considerations to keep in mind when selecting
coverage.

Have a Strong and Well-Documented Security Posture

As the saying goes, the best offense is a good defense. Having a strong and
well-documented security program in place can help to potentially reduce
the cost of insurance or put a company in a stronger position to negotiate
more favorable terms. Companies that can demonstrate that they are
following security best practices to prevent attacks and that they have a
plan in place to manage a potential incident are often more attractive to
insurers.

There are several steps that cybersecurity professionals can take to help
in this process. For starters, having a well-documented data breach
response plan in place and practicing it on an ongoing basis better
prepares and equips companies to respond to an attack in a timely and
sensitive manner. Further, regularly conducting internal and third-party
audits of corporate networks, as well as third-party cloud providers or
other organizations that have access to sensitive information, can help
prove to insurers that the company is effectively managing security risks
and is compliant with applicable laws.

Beyond having these practices in place, it’s important that companies are
able to document and share details with underwriters about their company’s
security posture. For example, providing information about how your
organization holds vendors or other third parties (that may have access to
your sensitive information) accountable for meeting the same level of
security standards, or if systems meet key industry standards like ISO
27002.

Properly Evaluate Policies

If the policy chosen meets a company’s risk profile cyber insurance
coverage, it can provide many benefits, which is why the involvement of
security professionals is key. As policies, price points and exclusions
vary across insurers, risk managers and security professionals will largely
benefit from working with brokers during the selection process. Brokers are
knowledgeable about the variety of policies available and can ask insurers
critical questions about both their experience handling these types of
events (i.e. how much loss experience they have, whether or not they’ve
paid actual data breach claims and covered major incidents) and about the
inclusions and exclusions of policies to ensure their company is choosing
the best priced and highest quality option.

Specifically, when working with brokers to evaluate policies and determine
the coverage best suited for a company, there are several key pieces to
look for:

- Existing exemptions – many older generations of cyber insurance policies
contained exclusions, so it’s important that all aspects of a response both
pre- and post-breach are covered. Determine what’s really included and
excluded in a potential future loss and whether or not specific policies
account for the unique risks or needs of your organization.
- Coverage for external vendors – as companies often use third-party cloud
or other IT providers, many policies include coverage for vendors who have
access to an organization’s sensitive information. While some of the
liability may ultimately lie on the third-party provider if an incident
occurs, this isn’t always the case so be sure this isn’t an area of
oversight for your company.
- Coverage for response services – often policies will include coverage for
crisis response services including forensics, legal and data breach
resolution partners, and will outline experts that can be used during an
incident. In some cases, companies and brokers can also negotiate using
their own preferred providers, but this should be determined prior to
purchasing, in order to guarantee that your response team is comfortable
with the options available.
- Risk management services – to help companies effectively prepare for a
security incident ahead of time, many policies will offer resources and
guidance on response plans and practices that will help the company
mitigate the fallout of an attack. Some policies even take a company
through a cyber-security drill to help them better prepare. Such added
benefits can be very useful to companies in times of crisis.

Cybersecurity leaders play a major role in setting their companies up for
success when buying insurance. By establishing a strong security posture
ahead of time, identifying their company’s needs, and sharing this
information with risk managers and brokers they can greatly influence and
benefit the purchasing process.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160427/2a3b6939/attachment.html>


More information about the BreachExchange mailing list