Read more: Top 5 cybersecurity actions to take right now
Departments outside of IT have ownership of data mentioned in the insurance questionnaire. For example, human resources stores sensitive employee data like salaries, social security numbers, and health insurance information. Finance ensures vendor data, payment records, bank information, and other assets are secured properly. If your organization has a software development team, secure application development and data privacy is their responsibility.
A Governance, Risk, and Compliance (GRC) team is tasked with implementing cybersecurity and data protection frameworks. In a small business, GRC teams may comprise VPs and department heads. Larger companies might have a dedicated team, or enterprise-level firms have a team that reports directly to the board.
Proactive security measures that lower premiums
Most likely, the CIO of your organization will have to complete the insurance questionnaire. If your company has a Chief Information Security Officer (CISO), the CIO can lean on them for support in answering the questions. A CISO ensures security policies are in place and approved and the controls are deployed so that you receive the best quote possible.
Examples of proactive security measures
Proactive security measures include:
- Segmenting or micro-segmenting the organization’s network to reduce risk.
- Deploying a next-generation firewall (NGFW) at the network perimeter.
- Utilizing endpoint detection and response software on all endpoints that are monitored 24x7x365.
- Implementing a security information and event management (SIEM) tool.
- Employing monthly vulnerability assessments and cleanup.
- Enacting multi-factor authentication (MFA) for systems logins such as e-mail, network access, and VPN access.
- Assessing overall information security measures through a third-party evaluation based on a proven framework like the NIST cybersecurity framework.
- Providing regular cybersecurity awareness and training to all employees.
- Initiating a GRC program with policies, guidelines, and processes.
On the other hand, if your business has gaps or you don’t have a dedicated CISO, don’t panic.
Not every company can deploy a fully formed cybersecurity program that cyber risk insurance often entails—at least not without some help.
The above list is a big ask. Unless the company has experienced information security leadership or has already experienced one or more data breaches, it will need outside security help.
Read more: Three recent developments in security technologies: What you need to know
Understanding data management risks
Cyber risk insurance is a way to transfer risk to a third party. Additionally, information security controls function as prevention, detection, and deterrent against threat actors. The goal is to manage risk and prevent costly cyber breaches such as:
- Accidental leak of sensitive or personally identifiable data.
- A ransomware attack that locks your business out of mission-critical systems.
- A business email compromise (BEC) that causes unexpected revenue loss.
- An insider threat from a bad actor within the company.
Suppose your business already has a functioning security program, but you discover new, high-risk areas through the process of securing cyber risk insurance. How can you mitigate those risks as much as possible (and lower your insurance costs)?
Mitigating risks
To start, you will need to understand the fundamentals of your company’s data.
- Who are you gathering data on? Customers? Employees? Visitors to your website or mobile application? Are they prospective customers? Are you purchasing email lists?
- What information is collected? Demographic data such as addresses? Sensitive data like credit card numbers, birthdates, and social security numbers? Do you track metrics about employees and customers?
- When is data gathered? At the point of first contact? At each customer interaction?
- Where is the data stored?
- Why are you storing that information, and how long is it stored?
- How is it secured? Is it encrypted? Is it secured by other means?
Also read: Information privacy and information security: Is there a difference?
Finding help with cybersecurity and insurance
As you fill out the insurance questionnaire, you will see where your cyber risk insurance provider may find vulnerabilities in your environment. Thankfully, the questionnaire will provide a starting point for risk management approaches to consider. Improving your security program will require you to work with each department of your company, and you may need to partner with a third-party cybersecurity provider. That partner could be in the form of auditors or an advisor like OnX that prioritizes cybersecurity and information security management.
Get in touch to learn more about how OnX can guide your company on the journey to cyber risk insurance and enhanced cybersecurity.
Read more from the cybersecurity insurance blog series: