The overlooked part of an infosec strategy: Cyber insurance underwriting
When a data breach or cyber attack hits the headlines one of the last things businesses are likely to consider is how cyber insurance could helped. Outside of a general awareness that cyber insurance is an easy to purchase , some companies struggle to effectively manage their processes and , security to ensure they qualify for the protection that is just as important to keeping their business operating and with a strong reputation.
According to an October 2019 commissioned Forrester survey, nearly half of the 350+ SMBs surveyed had a cyber attack in the last year. The survey also revealed that 63% of respondents expect to fall victim to a cyber attack in the next year along with 70% that said a cyber attack would seriously cripple their business.
As one of the world’s leading insurers, we were one of the early pioneers in offering cyber insurance to businesses of diverse sizes internationally. Through a partnership with cloud insurance platform provider Slice Labs we became one of the first insurers in the U.S. to offer, on-demand cyber insurance specifically built for SMBs who typically do not have the financial, staff, or time resources of a large enterprise to protect themselves from threats.
In order to strengthen the case for underwriting of SMBs and large enterprises, we would like to provide some insights into how cyber insurance underwriting works, common vulnerabilities that we see when underwriting and protecting companies, and tips for preparing for the application process.
The underworking of the cyber insurance underwriting process
On average we provide between $500K – $1M in limits for cyber insurance coverage for SMBs. In order for a business to secure this coverage we evaluate potential risk by leveraging data and analytics to provide a forensics-level report on current and predictive risk. Our focus is to have an outside-in perspective to build a comprehensive predictive model that not only evaluates the business, but also benchmarks the company against the industry and its peer group.
By having a prediction of potential vulnerabilities, we are able to reduce risk to the client and our cyber insurance underwriting operations. There have been occasions where the assessment has resulted in our business being unable to underwrite a client. The main reasons for this are due to companies being unwilling to enhance their security protocols or unaware of that
For those that we have not underwritten we find the most common vulnerabilities relate to human error leading to phishing attacks, and not having an incident response plan.
Vulnerabilities businesses need to be aware of when moving to the cloud
While no business will likely argue about the overall business benefits of migrating to the cloud, as we’ve seen from the headlines this doesn’t make a business immune to threat. For those that are in process of moving to the cloud they should be sure to maintain on-premises redundancies in the event the cloud has an outage or a security breach.
Companies also need to be aware contractually that their cloud vendor may not indemnify them for a data breach or exposure of data. Also, the cloud vendor may be relying on other 3rd party vendors to ensure their services are up and running. This means cloud vendors are not immune to physical or digital risks that could impacted by the supply chain.
While there are vulnerabilities to using the cloud, our on-demand cyber insurance is hosted in the cloud and it has allowed us to be more efficient and intelligent when providing coverage and ongoing security health monitoring for our clients. However, this doesn’t mean businesses should put their guard down with weak protocols after they secure coverage or when they purchase a cloud technology product.
What can businesses do to fix vulnerabilities before applying for cyber insurance?
The first major area businesses need to shore up is their employee training. The greatest technology and insurance cannot protect against businesses that neglect to continuously train their employees on how to protect company and customer information.
Businesses should also ensure their antivirus programs haven’t been exposed to vulnerabilities along with ensuring that they are updated. Customer trust is something that cannot be won back after it is gone. We recommend companies only maintain PII for as minimal time as necessary.
Lastly, businesses, and especially SMBs need to have proper security controls in place for employees remotely accessing their on-premises networks and assets in the cloud.