Andres Rodriguez - Fotolia
Cybersecurity insurance is becoming necessary for many businesses -- much in the same way other types of critical business insurance provide a sense of comfort and protection, such as flood insurance for organizations in particularly severe weather-prone areas with flood plains. And when it rains, it pours.
Business flood insurance comes in to mitigate reputational damage; to recover the costs of data restoration and loss of business; to pay for legal costs, customer settlements and fines; and to respond to a data breach, including with forensic investigations, call center notification expenses and credit monitoring for those whose personal data was stolen.
When the technology is breached, cybersecurity insurance becomes essential to recover from the costs of data recovery and loss of business; to pay fines and customer settlements; and to rebuild a damaged reputation.
The truth is that every business is in a cybersecurity flood plain. Every business is at risk, and it's not simply about disaster recovery. The necessary exercise of acquiring cybersecurity insurance will (or should) force collaboration between the chief risk officer (CRO) or risk manager, the head of IT and the head of cybersecurity, as well as other parties.
Cybersecurity insurance doesn't replace security best practices, but it's widely accepted that insurance is a critical component that complements a solid, well-thought-out security program. The trick, though, is to make sure that critical teams within the organization work together to ensure that effective security practices, risk management practices and cybersecurity insurance are treated as part of a unified strategy. The collaborative effort can not only improve the security posture of the organization, it can potentially make it easier (and less expensive) to acquire cybersecurity insurance in the first place.
Three specific teams need to be on board when considering cyberinsurance.
- Risk management, which manages overall compliance, business continuity and asset protection.
- Security operations, which is charged with defining security policies, detecting breaches and responding to incidents.
- IT operations, which is charged with maintaining and enforcing corporate policies to ensure that controls protect its systems and data while remaining compliant with various standards and regulations.
If the CRO is talking to cybersecurity insurance companies without working with the heads of the IT and security departments, he's doing it wrong. The CRO, after all, doesn't know about all the good work being done by IT to enforce policies, or what the security team does to protect the enterprise with its technology stack and incident response practices. Without all three parties working together, the business may not be able to communicate the most current improvements or articulate implemented controls that could improve the insurance carriers' ability to differentiate risk and provide more favorable cybersecurity policy quotes.
"It's truly a multidisciplinary approach, as we want to help insurers understand our organization's capabilities around cyber defenses," said Keith Lindloff, director of insurance services at Children's Health in Dallas.
The true value of insurance, according to Pamela Arora, senior vice president and CIO of Children's Health, isn't just that an insurer writes you a check when something goes wrong. Value comes with the understanding of the risks facing the organization and the mapping of that risk to the corresponding business controls.
"It's also about seeing how the company is progressing in terms of improving its policies and reducing risks," Arora said. "When an organization is determining its level of investment in programs, a key factor to keep in mind is how you're moving the needle in terms of progress. Being able to measure your success helps you to understand whether your investment has paid off.
"Just as this type of measure is valuable internally, we believe insurers would benefit from adopting a system of standards against which organizations could be measured. This approach would ensure that the insurers and their covered organizations were speaking the same language."
When a business has solid security policies and procedures that are in tune with the latest threats, risks can be mitigated, and the general risk profile can be reduced. When the IT department follows the defined industry and regulatory practices, uses the right technology to monitor endpoints and keeps up with software patches and vulnerabilities, risks can be managed, and the risk profile can decrease. Being able to demonstrate that both the IT and security teams understand the risks and have policies to mitigate that risk can also save the organization money by making it more attractive to an insurer's actuaries.
Consider the collaboration between Zurich North America, an insurance company, and HITRUST Alliance, a nonprofit that provides healthcare organizations (like hospitals and medical practices) with a standards-based framework for managing information risk and safeguarding healthcare data. When the IT and security teams within a healthcare organization collaborate with the risk management team to demonstrate their certification for the HITRUST Common Security Framework (CSF), according to Zurich, they can both expedite their cybersecurity insurance application process and experience more favorable coverage and premiums. Experiencing either of these is a huge win for a healthcare organization, but obtaining both is the ideal scenario for enterprises.
"The Zurich-HITRUST collaboration streamlines the security and privacy insurance process for healthcare organizations by increasing the accuracy of the information required to underwrite this coverage, and can reward healthcare organizations that can document and demonstrate effective security policies, controls and practices," said Michelle Chia, vice president of Zurich North America. "If you are HITRUST-certified, you have adopted a mindset of resilience, rather than just protection. If you identify all possible risks and have an action plan in place, you will prove most resilient, and quickly get back to meeting the expectations of your customers and your shareholders."
This benefits the underwriters and insurance brokers, as well. But those streamlined processes only work when everyone in the organization pulls together and can have a consistent and recognizable conversation with the insurers.
According to Daniel Nutkis, CEO of the HITRUST Alliance, collaboration is about more than having IT staff implement any security controls while the bean counters are off buying insurance.
"We have spent years ensuring organizations that adopt the HITRUST CSF are able to manage their information risks, including cyber[security] risks," he said. "Use this as an opportunity to bring the risk manager, IT and information security leaders together to focus on risk management holistically. [Ensure] you are adopting the right controls framework, assurance and cyberinsurance in a coordinated manner to ensure you collectively understand your residual risk. The language will be consistent and in the context that the insurers can understand and appreciate."
Using programs like the HITRUST CSF to prepare for a security and privacy insurance application -- and to accurately present the company's security posture to insurers like Zurich -- can truly make a difference to the bottom line, said Sanjeev Sah, CISO at Texas Children's Hospital in Houston. Without having collaboration between the CRO, IT team and security team, insurance could be more expensive, or may not provide adequate coverage.
"Insurers ask questions that look at security measures before coming back with a coverage plan and pricing," Sah said. "If underwriters had the CSF to rely on, it provides them [with] value. If the organization is HITRUST CSF-certified, then insurers have a level of confidence to provide better pricing and better coverage."
There's risk in every enterprise, whether it's from floods that wipe out a factory or a flood of cyberattacks that breach defenses, steal patient data and harm public health. While not a replacement for technologies, processes and the people that help protect the systems and data which make the healthcare organization run, cybersecurity insurance is becoming crucial to manage that risk, and the lesson is that insurance programs are best driven by collaboration among risk managers, IT managers and the information security team. That's the smart way to survive the pending cybersecurity flood.
Find out how cognitive hacking and bad data can threaten enterprises
Read more on the benefits and drawbacks of dedicated security teams
Discover how improper SSH key management can create risk