Cybersecurity risks relate to the loss of confidentiality, integrity, and availability of information, data, or the systems that are required to support organizational operations. To minimize these risks, there are four paths to treating Cybersecurity risks.
- Mitigated: Reduce the vulnerability or associated threat by remediation. Apply the required patch, change the default password, or whatever is required to reduce the vulnerability or associated threat.
- Avoided: Take the required measures to eliminate the risk from occurring. An example would be installing an anti-phishing solution to eliminate phishing messages getting to end users.
- Accept: Acceptance of the risk is when you understand that the cost of mitigation outweighs the advantages of transferring, mitigating, or avoiding the risk.
- Transfer: Risk is transferred to a third party through a contract such as Cyber Liability Insurance. You pay an insurance company for Cyber Risk Liability Insurance that will pay for losses in the event of a business disruption. Travelers detail Cyber Liability Insurance as “an insurance policy that provides businesses with a combination of coverage options to help protect the company from data breaches and other cyber security issues.” It also provides “access tools and resources to manage and mitigate cyber risk – pre-breach and post-breach”
What is Cyber Insurance?
Cyber Insurance is designed to cover consumers of technology services or products from the financial experience in the event of a breach of sensitive data (Personal Identifiable Information, Protected health information, or personal financial information). Cyber liability coverage includes legal costs, forensics and security consulting, identity theft protection services, data restoration services, and any settlement with victims.
Before businesses can transfer this risk to the Insurance company, they are required to have certain controls to protect and limit their exposure. The level of controls the company has implemented is ascertained in a Cyber Liability Questionnaire which must be filled out by the organization. Questions may include the following:
Do you have a process in place to regularly download and install patches?
Do you have an incident response plan to respond to a network intrusion?
Is Multi-factor authentication for remote access to email and other systems and programs containing private or sensitive data in bulk implemented?
To further limit risks insurers may not cover any acts sponsored by nation-states or in conjunction with a traditional physical war. Two recent incidents believed to be caused by nation-states are the Wanna-Cry incident and the Solar Winds cyberattack. Wanna-Cry affected companies throughout the world in May of 2017 for 4 days and is estimated to have caused losses in the billions, while the Solar Winds cyberattack is estimated to have cost around 90 million which under these new requirements would not have been covered.
The Cyber Insurance Underwriters put together a list of controls that are aligned with traffic light colors. Red is the minimum standard required by organizations to implement, Amber being requirements above the minimum and are more attractive to underwriters, while green requirements are the most attractive to underwriters.
- Multifactor authentication (MFA) for:
- Employee email.
- Remote access for users to access sensitive data.
- Privileged accounts / privileged access. These include domain administrators, Chief Financial Officer, Human Resources, and any other individual that access sensitive data.
- Offsite (Preferably offline) backups of critical data.
- Endpoint detection and response (EDR) solution on all managed endpoints.
- Create an audited written plan for patching critical software and hardware.
- Employee cybersecurity training, including phishing simulations.
- Strong email filtering tools to limit risky emails being delivered.
- Privileged access account security measures.
- End-of-life unsupported software and hardware segregated from the network with plans to decommission.
- Cyber-incident disaster recovery/incident response plan, and segmentation of your computer network by operation function, data classification, and operational risk.
- Local admin accounts are disabled on endpoints.
- Organizational Password management application implemented.
- Detailed asset footprint of service accounts with domain credentials, services, and monitoring of these accounts.
- Security information and event monitoring implemented (SIEM).
- Data loss prevention tools implemented.
- Follow an information security framework such as NIST Cyber Security Framework, CIS, or other common cybersecurity frameworks.
- Maintain a 24/7 Security Operations Center (SOC) – internal or external.
What This Means for You
We encourage organizations to put in place controls to protect critical data and systems and align them to organizational accepted risk. Obtain Cybersecurity Insurance to transfer these remaining risks and limit the organizational impact. Insurance is not an alternative to implementing good compliance measures, but for many organizations is the motivating factor for implementing these measures.