Three Key Requirements for Cyber Insurance

Cyber is an ever evolving and exciting field of insurance. The cyber insurance product initially came into existence as an indemnity product, passive in nature, paying out losses after they happened like other insurances. Then there was a realization that the insurer cannot be a passive player at all times and has to be involved in the management of the cyber claim by providing incident response services.

However, the involvement of the insurers at the time of incident helps only in minimizing the claim. This doesn’t address the preventative aspect. Insurers are now more focussed on how the losses can be prevented either by actively involved in the risk and vulnerability assessment at the pre-underwriting stage.

Due to the ever increasing nature of cyber attacks, data breaches and ransom demands, the era of passive underwriting has probably come to an end.

Nowadays, cyber insurance policies undergo a great deal of underwriting scrutiny to ensure that the prospects have a robust IT security architecture in place as a precondition for underwriting. While any system can be potentially defeated, customers having critical vulnerabilities, weaknesses and insecurities are ready candidates for cyber attacks. Such prospects are now finding it increasingly difficult to get meaningful cyber insurance in most markets around the world.

So what are the three essential requirements a prospect must fulfill to obtain cyber insurance?

Organization:

Any cyber incident defence starts with having the appropriate organization and people in place to handle the events as they occur. The IT security organization should be well defined with roles and responsibilities. The chief information security officer should be sufficiently senior in the hierarchy reporting to the top management. He should be responsible for providing guidance and ensuring awareness and implementation of security practices within the organization. He should ensure implementation of an incident response plan where any vulnerabilities or incidents are reported to management and the plans revised based on lessons learned. There must also be an escalation matrix for incident reporting. A Security Operations Centre (SOC) continuously monitoring all events should also be set up among other things.

Processes:

For any organization, there must be processes, guidelines, procedures and SOP’s in place for implementation. To start with, the organization should have a Business Impact Analysis (BIA) to ascertain the extent of impact a cyber incident can have on its business. This should be followed by a board approved Business Continuity Management (BCM) plan in place that specifically addresses cyber incidents and an IT Disaster Recovery (DR) plan.

Since threat vectors keep emerging, these documents need regular testing and validation, followed by updation as may be necessary. All information security events should be documented in a central Security Information and Event Management (SIEM) system. Change management procedures should be put in place that include testing, failback scenarios and reporting protocols.

IT security cannot be divorced from physical security. A robust IT security depends on having adequate physical security such as having access control. A central Identity and Access Management (IAM) system for assigning and revoking access rights is critical. Guidance and SOP’s on system usage should be put in place.

Since organization IT security also extends to vendors and suppliers, one must identify and document all important suppliers/vendors (including third party service providers) and apply security controls to specifically address supplier access to the organizational systems. The contractual agreements with vendors and suppliers who access the organizational systems should enforce standard of IT security including regular audits and feedback mechanism for reporting events and taking corrective action.

Systems:

Once the organization and processes are in place, the assets of both hardware and software need to be configured to reduce vulnerabilities and minimize threats to the extent possible.

At a base level, the security requirements include use of https protocols enabling data encryption, protection of web-servers against denial of service attacks such as utilization of a content delivery network provider, security functionality testing, usage of appropriately configured firewalls, segregation of internet-accessible systems such as web-servers and email-servers organization’s trusted network, encrypted communications, usage of data loss prevention softwares, malware protections, restrict access or encrypt confidential information stored on removable media like external storage devices such as USB sticks or hard Disks.

These systems by themselves are not enough at all times against emerging for all organizations. Based on specific situations or circumstances, additional layers of system security needs to be implemented.

Conclusion:

While cyber attacks are on the increase, the changing regulatory landscape also is changing, requiring the organizations to put in place mechanisms to prevent sensitive customer data theft and resulting blowback. The financial consequences of cyber attacks are only increasing, resulting in both increased severity as well as frequency of claims. While capacity is still available for underwriting cyber insurance business, it is increasingly being deployed by insurance companies, for writing policies of customers who have the human organization, processes and systems in place to thwart the attacks.