Cyber-Insurance Controls: Building Resilience for Heightened Security

Many companies often wonder what measures they should take to ensure the security of their operations. The answer, in essence, is straightforward: implement all relevant security measures. However, amidst the evolving landscape post-Covid-19, where many organizations have undergone significant operational changes, the question of what truly applies has become more complex. The controls pertinent to the new organizational structure may need revisiting.

Invariably, there's a cost associated with security, whether it's accepting higher risks with fewer controls, leading to increased insurance premiums and vulnerability to cyber-attacks, or implementing controls to mitigate risks and potentially facing attacks nonetheless. Despite the grim reality, all organizations today face risks and must make decisive choices regarding their risk tolerance and strategy.

Understanding risks boils down to two main categories: data security (ensuring data remains accessible only to authorized individuals) and data availability (ensuring authorized individuals can access the data when needed).

Data security and availability are paramount concerns for most security and continuity solutions because breaches in these areas can spell disaster for a company. When seeking insurance coverage against cyber threats, companies are expected to implement all relevant controls to protect their data. Failure to do so may result in higher premiums due to elevated risk assessments by insurance providers.

Insurance companies typically scrutinize three key areas when evaluating policy details:

1. The type of information held.
2. Measures in place to ensure data availability.
3. Measures in place to secure the data.

When examining the information held, insurers focus on various aspects:

• The nature of the data (e.g., employee, customer, or patient information).
• The type of data (e.g., social security numbers, credit card information).
• The data's location (e.g., on-premise, cloud-based, dispersed across devices).
• Potential consequences if the data is compromised or unavailable (e.g., regulatory fines, production loss, damage to reputation).

Ensuring data availability involves considerations such as:

• Having a disaster recovery and business continuity plan.
• Maintaining an incident response plan.
• Defining recovery objectives.
• Encrypting backups and regularly testing them.
• Conducting tabletop exercises for incident response.

Implementing security measures involves deploying controls to address known risks within the organization. These may include:

• Multi-factor authentication.
• Endpoint protection platforms.
• Security information and event management systems.
• Continuous patching and updates.
• Security training for employees.
• Access restrictions based on job function.

Insurance companies use these measures to assess the potential financial impact of data breaches and determine appropriate premiums.

Ultimately, organizations must strike a balance between conducting business efficiently while employing the necessary data security and availability measures. For more insights into this process, follow us on LinkedIn to ensure your organization remains resilient in the face of evolving threats.

Patrick H. Whelan – CISA