Reports of data breaches and cyber attacks are all too commonplace. In recent news of the Heartbleed bug that has been discovered in OpenSSL encryption software, we see that even companies who are doing “everything right” can be open to unforeseen gaps in security that threaten their compliance and the integrity of vital systems.
Cybersecurity Addressed by Government and Insurers
The rise of these threats and our increasing dependence on data and technology has created a new insurance market for cybersecurity coverage. Many businesses are still grappling with their need for such coverage and with the costs and options available. The insurance industry is also grappling with how to present policies that will adequately cover the risks a business may face at a realistic cost for the market.
As explained by the Department of Homeland Security (DHS): “Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage…Many companies nevertheless forego available policies, citing their perceived high cost…”
Other reasons cited on the DHS website for reluctance to buy cybersecurity insurance include “a lack of awareness about what they cover, and uncertainty that they’ll suffer a cyber attack.” The certainty that a company could experience a cyber attack is too great to be an acceptable risk to assume without doing everything possible to mitigate that risk. Realizing this growing risk to American businesses, the President issued an Executive Order in 2013 calling for an in-depth examination of cybersecurity issues.
The resulting guidelines released by the National Institute of Standards and Technology (NIST) in February 2014, the Framework for Improving Critical Infrastructure Cybersecurity, address challenges faced by business, government, and insurers to manage cybersecurity effectively in the future. As one of the key steps to improving a cybersecurity program, the Framework “supports recurring risk assessments and validation of business drivers to help organizations select target states for cybersecurity activities that reflect desired outcomes.”
In response to the Executive Order, the Treasury Department’s Report to the President on Cybersecurity Incentives states that “Insurers also may encourage policyholders to implement even stronger cyber protections by offering premium discounts to those who make additional security investments that reduce risks of loss to events covered by cyber insurance.”
Conduct a Security Risk Assessment Before Purchasing Cyber Insurance
As regulators and insurers strive to understand the available data and to develop policies to meet the security needs of businesses, they are also trying to effectively assess various risk factors for their applicants. It is clear that any evidence a company can provide to demonstrate diligent risk mitigation and management will be favorable for the company in negotiating coverage and insurance premiums.
With a thorough, independent risk assessment conducted prior to comparing and applying for a cybersecurity insurance policy, you will be a step ahead. In fact, many insurers are now requiring a risk assessment for business applicants before providing coverage.
- Knowledge of security gaps gives you the opportunity to address gaps that might be red flags for the insurer and lead to higher premiums.
- An educated applicant brings a confident understanding of risk which can be leveraged in negotiating coverage and premiums.
- A thorough, objective risk assessment leads to lower premiums as the insurer can be more confident in your dedication to security and to proactively mitigating risk.
We will continue to hear news of costly breaches and vicious cyber attacks. As you pursue strategies for mitigating risk and maintaining the necessary compliance required for your industry, don’t hesitate to consider cyber insurance for the added protection that could be invaluable should something unforeseen happen despite your best efforts.
As you research various cyber insurance options, keep in mind that an up-to-date, comprehensive risk assessment could carry you into the application process with information and confidence and set you up for the best possible rate for the coverage you need. Demonstrating due diligence in identifying security threats and mitigating information security risks with the implementation of effective controls and safeguards is essential for businesses today.