You are about to leave Risk Strategies website and view the content of an external website.
You are leaving risk-strategies.com
By accessing this link, you will be leaving Risk Strategies website and entering a website hosted by another party. Please be advised that you will no longer be subject to, or under the protection of, the privacy and security policies of Risk Strategies website. We encourage you to read and evaluate the privacy and security policies of the site you are entering, which may be different than those of Risk Strategies.
With the ever-growing threat of bad cyber actors disrupting critical processes, a systemic risk assessment of potential cyber vulnerabilities is more important than ever. From an insurer's perspective, the benefits of establishing best practices for doing so extend to every activity, from businesses large or small to Private Client concerns.
On its face, this can be a daunting task. Whereas most cyber events have a narrowly defined set of victims, a systemic cyber incident could do damage on a national or even a global scale—threatening the digital infrastructure that entire societies, economies and governments rely on to function.
The growth and scope of these threats ripples through the cyber insurance industry as well. Underwriting requirements have tightened, and for many insureds, CBI (Contingent Business Interruption) policies have been sub-limited as a cost-containment strategy—for instance, a client may carry a $10 million policy limit, but CBI is sub-limited to only a small portion, i.e., $250,000. This is generally far less than will cover actual losses an insured may suffer in the event of a devastating cyber attack.
What are the key steps insureds can take to not only safeguard themselves against cyber attacks, but also satisfy systemic risk underwriting requirements for more thorough protection within their cyber insurance coverage? Here are a few important recommendations:
Develop Strong Vendor Relationships and Controls
Contracting with established, reputable vendors is the first and most obvious step to take to protect infrastructure and demonstrate the robustness of internal controls to underwriters.
From a broader perspective, as businesses increase their reliance on outsourcing for information technology products and services, vendor risk management (VRM) has become a crucial component of any enterprise risk management framework. It is in the best interest of your organization to manage vendor risks before, during and after a vendor relationship ends. VRM ensures that third-party products, IT vendors, and service providers do not lead to business disruption or financial and reputational damage.
Stay on Top of Critical Patching
Implementing well-structured patch management is a part of the process for organizations to become cybersecurity compliant. Recent studies indicate that poor patch management accounts for as much as 57% of data breaches; a poor patch management system leaves sensitive data exposed and easily susceptible to malware and ransomware attacks.
Common areas that will need patches include operating systems, applications, and embedded systems (like network equipment). Timely patch management helps maintain operational efficacy by correcting software errors detected after release, and by mitigating security vulnerabilities.
Although many organizations handle patch management on their own, some managed service providers perform patch management in conjunction with the other network management services they provide. If your organization goes this route, consider the vendor relationship risks involved.
Implement a Strong Risk Management Framework
For firms of any size or classification, establishing a risk management culture and the infrastructure to support it is essential. Implementing a successful risk management program means detailing how a firm identifies, analyzes, evaluates, treats, and manages risk.
A well-designed, all-inclusive risk management framework provides a roadmap to avert corporate disaster and competitive disadvantages and demonstrates the types of controls that underwriters look for in determining a firm’s insurability. A well-developed program will detail controls in multiple areas, including:
Marketing and communications
Staff and human resources issues
Information and resource management
IT issues and security
Acceptance and continuance of clients
Cash flow management
Create Thorough Business Continuity & Disaster Recovery Plans
As we have seen too often over the past few years, major cyber attacks happen even to the best-prepared organizations. When breaches do occur, firms need to have detailed and nimble business continuity and disaster recovery (BCDR) plans in place.
The term “cyber resilience” refers to a business's ability to continuously deliver on its intended outcome despite adverse cyber events. Implementing a cyber resilience strategy as part of your company’s BCDR plan can ensure that the organization can continue operations, perhaps at reduced capacity, even in the face of ongoing attacks.
Engage with Specialty Brokers
The cyber risk landscape is continually shifting, and new threats continue to emerge. By acting robustly to protect its own interests, a business also provides an added layer of security for interconnected businesses and drivers within the global economy.
A key component of systemic risk assessment is engaging with a specialty broker in cyber insurance, especially one that can serve both business and private client needs. We can help to identify the latest trends, emerging areas of concern, and recommended best practices to assure that your cyber coverage provides optimal protection for your business.
The contents of this article are for general informational purposes only and Risk Strategies Company makes no representation or warranty of any kind, express or implied, regarding the accuracy or completeness of any information contained herein. Any recommendations contained herein are intended to provide insight based on currently available information for consideration and should be vetted against applicable legal and business needs before application to a specific client.