Insurance companies’ primary role is to make sure that when their clients experience any damage, loss, etc., they help to replace that loss/those losses. But what happens when there’s a cyber attack? This is a new realm that is often more complicated than a physical theft. One can make a comparison here, though. When a physical theft happens, the insurance company wants to first assess whether their client’s system was secure. Did someone forget to lock the door, did their client have a broken or an outdated security system, etc.? They would have to evaluate whether it was avoidable.
Then, the insurance company would check whether the security system was disabled by the intruder and many things could come of this. Upgrade the system, find the flaw, and see how the perpetrator pulled off the theft. Maybe the perpetrator was a professional, in which case the security system needs to be upgraded. Or maybe the perpetrator was a petty crook and got lucky or used brute force to break in, in which case a different security measure would need to be added.
This thought process applies to cybersecurity insurance. There are ranges of cyber attacks out there both petty and professional much like a traditional robber. So a very similar process would apply to the insurance company evaluating the attack. They simply need to find the right questions to ask such as:
• Did the client have a firewall and how recently was that firewall updated?
• Does the client have a Chief Security Officer (CSO) to keep cybersecurity a top priority?
• Did the client perform any Penetration Tests to insure the firewall was impenetrable?
• Is the client in compliance with government regulations and policies?A majority of these questions actually come from one or more common security control frameworks packaged either as an industry standard or a legislative framework. An example of this is ISO27001 standard or HIPAA Security Rule legislation. If you want more information about these regulations & standards, check out our Third Party Security Regulations blog – it covers some of many regulations & standards.
This is why insurance companies should invest in a cyber assessment automation system in order to make sure their clients stay up-to-date on their regulations and security systems. An insurance company wouldn’t sign on with a client who owned a small jewelry shop with only one lock on the handle and a large, thin glass window. The company would tell them that the shop needed to add a secure window and additional locks and security systems before they could sign on. This is the same with cybersecurity. And as the modern age progresses, insurance companies may have long-time clients and never thought to ask what type of computer systems they use, what information they gather, and how safe is that system.
So, it’s incredibly important that insurance companies do their research on not only new clients, but continual clients to ensure that they are in compliance with all regulations and policies to protect both themselves and the insurance company.