Market for Cyber Insurance Driving Change
Although cybersecurity risk is a persistent concern for law makers and regulators, a uniformed national standard in the United States is not imminent. Even still, the market for cyber insurance is driving change that is starting to look and feel like a compliance standard. A change that is long overdue.
Unfortunately, insurance carriers are not yet uniformed in how they assess or analyze risk. There are, however, common elements that most carriers require. Those common elements are the basics. The fundamentals. The solutions that meet not only the insurance company’s new underwriting requirements, but they also meet state and federal regulatory requirements as well.
We shared these in our recent Cyber 5 – Basics for SMBs series (check that out here: https://www.arch-canopy.com/blog-1). In addition to those, here are three more cybersecurity fundamentals that insurance companies are asking about in their underwriting questionnaires:
Incident Response (IR) Plan – An IR Plan doesn’t prevent a breach, but it reduces the impact of a breach; therefore, minimizing the potential claim payout by the insurance company.
Managed Detection and Response (MDR) and/or Extended Detection and Response (XDR) – These solutions add an additional layer of security to your next-generation firewall and end-point protection. While it can be challenging differentiating MDR and XDR solutions, you need that extra layer to help reduce your cybersecurity risk. And risk reduction is what insurance companies are all about.
Email Security – AKA anti-phishing. The end-user is the biggest target and email is the easiest way to get to the target. The end-user can also be your biggest defense. Along with end-user training and awareness, email security is now a required layer to protect against phishing attacks.
Insurance companies are in the business of managing risk. As cybersecurity risk increases, large enterprises and government agencies are, increasingly, forcing smaller vendor companies in their supply chain to obtain cyber insurance to manage the risk of data breach. Often, those vendor companies do not have the technical safeguards in place to reduce the risk, and mitigate the effect of, a bad data breach. Those technical safeguards are tools and solutions that are widely available, but often procured improperly, misconfigured, and erroneously deployed due to a lack of security expertise.
So, although the insurance market is driving broad changes toward a standard of cybersecurity risk management, there remains a need for service providers that can close the gap between cyber risk and the technology deployed to manage that risk.