Security Posture and Cyber Security Insurance
When evaluating policies, consider those that include first-party and third-party coverage options. First-party coverage includes costs directly associated with repair of the affected system. These costs could include equipment, incident response and other consulting necessary to repair the vulnerability. Some policies may include the cost associated with temporary hosting which can help you restore services quickly if you do not maintain a self-hosted disaster recovery environment.
Third-party coverage includes costs associated with litigation and fines levied. This coverage also typically includes the cost for notification to persons or businesses affected by the incident.
One question that comes up regularly when discussing cyber security insurance with our customers is: “Are there any ways to lower cybersecurity premiums?” The answer to this is “probably,” however, each insurance provider measures and categorizes risk differently.
In order to set premiums and coverage limits, the more advanced providers are independently evaluating the efficacy of specific security tools as well as the organization’s commitment to a risk management program. These are similar to the automobile insurance industry’s evaluations of a vehicle’s safety equipment features, such as anti-lock braking systems, passenger restraints and collision avoidance technologies. These vehicle features, along with the operator’s driving record, use of seat belts and other personal criteria, impact the vehicle owner’s insurance category and premiums.
While cyber security insurance is helpful option, it is not a replacement for a true security program that routinely evaluates, measures and reduces operational risk to acceptable levels1. This is done using policies, procedures and training that create a culture of security, coupled with effectively selected and managed security products.
Cyber security insurance providers are beginning to validate the existence and effectiveness of an organization’s security measures to evaluate their insurability. As the number of cyber security incidents in Healthcare organizations continues to rise, it is expected that insurance providers will require that these tools and processes exist before covering an organization. Health care organizations that haven’t implemented security measures to protect their environment, expecting to rely on cyber security insurance to cover them in the event of a breach or security incident, will find themselves without this protection unless they commit to an effective security program2.
Our ePlus Security Advisory and Consulting Services team works with our customers to improve their security programs and provide effective security. Making security pervasive across an organization and enforcing a security-first culture with its employees, is the best insurance policy around.
1 “Cyber Insurance: A Study In Fine Print,” Forbes Insights, August 14, 2019. (https://www.forbes.com/sites/insights-ibmresiliency/2019/08/14/cyber-insurance-a-study-in-fine-print/#4d0e51df2d58).
2 Colby Proffitt, “Insight: Should Cyber Insurance Be a Line Item in Your Security Budget?” Bloomberg Law, April 18, 2019. (https://news.bloomberglaw.com/privacy-and-data-security/insight-should-cyber-insurance-be-a-line-item-in-your-security-budget)