Recently the Cybersecurity & Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security began recommending that cybersecurity insurance firms encourage the implementation of best practices by basing premiums on an insured’s level of self-protection and cyber risk management.
However, optimizing insurance rates is only part of the picture. The other parts are (1) optimizing your coverage based on your actual risk picture, so that you don’t have gaps in coverage and (2) understanding what cyber incident response requirements your insurance may impose – for example, what must be done within the first hour of an incident. It’s important to know what is and isn’t covered, and what response capabilities must be in place, to assure that coverage stays intact and incidents won’t be disqualified resulting in a company-crippling or company-ending event.
Cyber Risk Management
The Advisen Cyber Risk Insights Conference in New York is the largest cyber risk conference for risk and insurance professionals in the world. RIMS, the risk management society®, is the preeminent organization dedicated to promoting the profession of risk management. At both the Advisen and the RIMS most recent conferences Brokers, Carriers and Risk Managers talked about how to elevate the Risk Management of Cyber Risk.
“Better cyber coverage and better pricing for going beyond the application and demonstrating what improvements you have made and what you have planned.” (Global Insurance Broker)
“Brokers should be helping Clients to demonstrate improvement.” (Global Insurance Broker)
Unfortunately, there is demonstrated general uncertainty regarding the levels of insurance coverage from cyber impact and how that should relate to cybersecurity controls.
A leading executive at a major broker in this space recently advocated that their clients should invest more in IT security improvements, like “DLP [Data Loss Prevention], end-point security, malware . . .”, but when asked if he could help his clients with deciding what improvements to invest in and what return on investment to seek, his answer was, “. . .well that is really difficult to do . . . so no.”
The problem is that the solutions available currently from Brokers and Carriers are primarily reactive, and those that are proactive are just brushing the surface by offering consulting services that focus on improving their clients’ reactive tactics – such as breach response and company policy review – which, while important, do not add enough value.
The Cyber Insurance Challenge
This leaves well-intentioned risk and security managers, as well as executive leadership, in a frustrating and untenable position. The conventional belief is that organizations are not investing enough in insurance, but often there is simply not enough information or guidance to provide a basis for informed insurance decisions.
What that major broker executive did not know is that there is an existing methodology that delivers a superior IT Security and Risk Management result that is proactive and ensures that the risks, controls and business value are all understood.
This applies not just to information system and IT infrastructure deployments, but to IoT deployments as well, including electronic physical security systems.
As insurance carriers transition away from from their currently very low competitive insurance rates, and begin setting their coverage and rates based on their clients’ security profiles, any manager or executive with responsibility for information-based systems must have – or be part of – a cyber risk management program that addresses the full spectrum of cyber liability risk.
Thus, RBCS and VBR Consulting (VBR stands for Value Based Risk) have teamed up to provide an independent opinion, along with tools, so that your organization can achieve a greater understanding of the cyber risks and the potential insurance solutions, and thus have better-informed internal conversations as well as with your brokers and insurers. VRB Consulting’s cyber/IT solutions insurance specialist, Grace Crickette, ARM, CGEIT, CCEP-I, CCSA, SHRM-SCP, and SPHR, has been named as one of Business Insurance’s Women to Watch, one of the “100 Most Influential People in Finance”, and the 2012 Information Security Executive (ISE) of the Decade. Grace is an alum of the University of Redlands and Harvard Business School.
The Value Based Risk insurance coverage evaluation methodology supports risk managers, CSOs, CISOs, their insurance brokers through a service model includes improved submission, underwriting review, loss analysis modeling, security assessment offerings, claims resolution, and create superior service for brokers’ clients.
Relating Risk to Business Value
IT security controls and best practices aren’t implemented in a vacuum. Their context is Risk Management, which generates the understanding of what controls and best practices to apply based on the value to the business and to the execution of its mission.
Our Insurance Optimization services include:
|1||Risk assessment & strategy development||The information security risk assessment (Cyber Risk/Security Questionnaire)|
|2||Tailored risk management and insurance
|Risk management and insurance program matrix that aligns with security
exposure. See Table 1 below.
|3||Optimization Roadmap||Provide multi-year roadmap plan to achieve strategic goals in a structured,
timely and cost-effective way; that is measurable and trackable.
|4||Consultation||Assist your internal and external teams|
|5||Claims advisory||Optimize your claims recovery|
Key Deliverable Documents
Evaluation Report. A comprehensive review and evaluation of your insurance policies based on your operational activities.
Risk and Coverage Rating Matrix Tool. The Risk and Coverage Rating Matrix rates all your insurance policies relative to your operational activities (abbreviated sample below). This service highlights areas where your organization can obtain coverage improvements. The Risk and Coverage Rating Matrix is a tool to advance your organization’s understanding of cybersecurity insurance and what you are protected against.
Table 1. Abbreviated Sample of VBR Consulting’s Risk and Coverage Rating Matrix
|Category||Loss Items||Property||General Liability||Kidnap & Ransom||Errors & Omissions||Crime||Cyber|
|Assets||Destruction, corruption or theft of your electronic information assets/data due to a breach of computer or network security.||Partly Adequate||Inadequate||Inadequate||Inadequate||Partly Adequate||Adequate|
|Business Interruption||Business interruption loss caused by a material interruption to your computer systems due to a breach of computer or network security.||Partly Adequate||Inadequate||Inadequate||Inadequate||Inadequate||Adequate|
|Data/Privacy Breach Costs||First party privacy breach costs including Forensics investigation, Notifications, attorney costs, call center, and credit monitoring.||Inadequate||Inadequate||Inadequate||Inadequate||Inadequate||Adequate|
|Data/Privacy Liability||Defense and liability for failure to keep information private or for failure of others that you have entrusted with information to keep it private.||Inadequate||Inadequate||Inadequate||Partly Adequate||Inadequate||Adequate|
|Information Technology Security Liability||Defense and liability for failure of IT systems to prevent spread of virus or a denial of service to those that rely on systems due to a failure in network security.||Inadequate||Inadequate||Inadequate||Partly Adequate||Inadequate||Adequate|
|Operational Technology Security Liability||Defense and liability for failure of OT systems to prevent spread of virus or a denial of service to those that rely on systems due to a failure in network security.||Inadequate||Inadequate||Inadequate||Partly Adequate||Inadequate||Adequate|
|Regulatory Defense and Fines||Defense and penalties imposed (where insurable) in connection with a regulatory action brought as a result of the unauthorized release of personal information||Inadequate||Inadequate||Inadequate||Inadequate||Inadequate||Adequate|
|Cyber Extortion||Costs of consultants and extortion monies for threats related to interrupting systems or releasing private information.||Inadequate||Inadequate||Adequate||Inadequate||Inadequate||Adequate|
|Cyber Terrorism||Security breaches or cyber extortion attempts likely with a political motivation.||Partly Adequate||Inadequate||Adequate||Inadequate||Adequate
Call Ray Bernard directly at 949-714-681--235981435-46 to schedule a phone call to discuss how a Value Based Risk insurance coverage evaluation would work for you. Or read further below to learn more.
Questions Needing AnswersHow much risk does the insurer absorb if there’s an incident? Given the pervasiveness of breaches and hacking, would you say it’s not IF a company will be breached but WHEN? How robust does cybersecurity insurance have to be? Does it depend on what type of industry a company works in? As companies use more IoT connected devices, how does that affect cybersecurity insurance? How will it change in the next 5-10 years? In general, what is the biggest mistake CISOs and security managers make when looking to buy cybersecurity insurance? How important do you think it is for companies to have cybersecurity insurance?
Value to You and Your Insurance BrokersStep 1: Risk assessment & strategy development Step 2: Tailored risk management and insurance program review Step 3: Optimization Roadmap Step 4: Consultation Step 5: Claims Advisory
Exploratory Phone Call
Call Ray Bernard directly at 949-714-681--235981435-46 to schedule a phone call to discuss how a Value Based Risk insurance coverage evaluation would work for you.
We show you how your insurance coverage can be integrated into an overall risk mitigation strategy. You can leverage your insurance program to:
- Provide a holistic cover for Information Technology
- Address issues associated with Information Technology Partners
- Drive the Governance of Enterprise Information Technology
Partner with your Chief Risk Officer and other experts not just during the insurance buying process, but throughout the year with evaluation of the risk. Put in place a Security Enterprise Risk Management Program (SERMP) or enhance your existing program, to help you and the CRO keep a pulse on the exposure/risk and allow you to be prepared to present your organization in the best light to the insurance underwriters and obtain the broadest coverage at the optimum price for your organization.
This will also make you better prepared for Board meetings and reporting on IT Risk in the language of management.
- Financial Risk – no one budgets enough for losses (failure)
- Operational Risk – buying insurance helps (forces) you to plan
- Reputation Risk – if you have a plan, you can respond better
- Compliance Risk – if you prepare and respond well you are likely to reduce missteps that can lead to regulatory violations
It’s not necessary or desirable to eliminate all risk. But it is necessary to have sufficient insurance in place reduce the impact of what would otherwise be business-ending/business-crippling incidents.
- Current cyber risk & security state assessment
- What is your meaningful cyber risk exposure?
- Know the actual risk exposure of the most critical business assets (those that matter the most to the business, and those that are of greatest interest to threat agents) and how cost-effectively they are controlling it.
- Learn the actual risk exposure of the most critical business assets (those that matter the most to the business, and those that are of greatest interest to threat agents) and how cost-effectively you are controlling it.
- An enhanced questionnaire and submission process that adds value to the insuring process and to the clients overall ability to understand what is at risk.By knowing and evidencing clients’ depth and breadth of cyber risk exposure in business terms, and quantified and qualified threat opportunity the submission is improved:
- the risk is better understood so that the broker can help the client make better decisions on retentions and limits
- the optimum coverage terms and pricing can be obtained, and
- the carriers gain even greater trust in the broker
- Completing Cyber applications and questionnaires can be challenging for risk managers and others who do not have the technical background that the Chief Information Security Officer (CISO) or CIO possess. This can lead to key assets not being identified and understood which can result in gaps in coverage and missed opportunities such as coverage enhancements.Our methodology translates the IT environment into understandable and quantifiable information that allows all parties in the organization and insuring process to speak the “same language”.
- Uncovers your overall insurance program coverage position
- Provides a review and evaluation report of your key cyber insurance policies based on your operational activities.
- Our Risk and Coverage Rating matrix is a comprehensive review of all insurance policies relative to your operational activities
- This service highlights areas where organizations can obtain coverage improvements
- The Risk and Coverage Rating matrix is a tool to advance your organizations understanding of cybersecurity insurance and what you are protected against
- Become a trusted and strategic resource to your organization by providing a superior insurance solution and delivers a roadmap to achieve strong cyber risk exposure mitigation – in a structured, timely, and cost-effective way that is objective, transparent, and measurable.
- Achieve cyber risk exposure / protection goals that ‘matter most’ to ‘who matters most’. Gain a multi-year enterprise strategy to achieve this cost-effectively.
- Our methodology will result in a tailored program that will align with your greatest cyber risk exposure strengths and weaknesses; and the greatest opportunities to reduce cyber risk exposure:
- the methodology improves your dialogue with your insurance partners (brokers, carriers, etc.)
- value provided for both security and insuring improvements, and
- ongoing monitoring of improvements leads to enhanced ability to negotiate improved coverage terms
- Provides the Risk Professional with a risk assessment process that is understandable and valuable to their entire organization. Supports collaboration between risk managers and IT security professionals. Addresses risk assessment, governance needs and provides the foundation for internal audit risk based audits.
- Tailored risk management security program multi-year business plan to achieve strong security value
- Prioritize the most cost-effective controls to gain protection / control risk exposure
- Ability to clearly articulate with confidence that you have a plan to achieve strategic goals in a structured, timely and cost-effective way; and that this is measurable and trackable.
- Have the right business plan to implement the strategy cost-effectively; leveraging existing resources, and choosing the right people, partners, and technologies to meet strategic goals and objectives.
- Ability to advise their organization to prioritize specific Critical Success Factors (CSFs) and to measure Key Performance Indicators (KPIs) to ensure cost-effective delivery of security controls to best mitigate cyber risk exposure.
- Clear communication on effective strategies (why, what, where, when) and tactics (how, who) to decrease cyber risk exposure.
- In underwriting meetings, be better prepared to discuss your business and risk profile and explain why your organization has chosen to or not to implement tools and controls and what coverage you really need.
- Tailored security controls roadmap and business plan to deliver specific controls and greater understanding of the exposures and assets at risk.
- For Brokers: Enhanced understanding of client’s risk and integrated controls for crafting the optimum coverage terms.
- For Client Organizations: Have the right plan to leverage people, process, technology, and partners to deliver a specific control cost-effectively – and to integrate controls effectively into protection-multiplying frameworks to best control cyber risk exposure.
- For Client Risk Professionals: You’ll have:
- Confidence that the coverage terms are addressing what is at risk in your IT and data environment.
- A helpful tool for reviewing and checking the policy terms prior to binding coverage.
- Policy Delivery: Our methodology will provide you insight into what needs to be insured – what assets are at risk which enhances ability to achieve contract certainty. The methodology identifies:
- Data at risk
- Assets at risk
- Systems architecture
- 3rd party dependencies
- Aggregate risk exposure
- Checks and balances for security goals, strategy and tactical performance
- Evidence to align and guide strategy and tactics
- Our methodology sets you up for success if a claim needs to be made. You have evidenced the due diligence in evaluating your risk and you understand in depth your right to recovery.
- You can demonstrate both to your Board and regulators that despite loss (claim) that this was an understood and controlled risk; and there has been investment in control of cyber risk to a demonstrable and justifiable risk appetite – evidencing due diligence.
- Strengthened ability to negotiate claim resolution.
- Brokers can demonstrate whether or not clients performed due diligence and effective control of risk
- All parties can make decisions based on objective facts that matter
- The risk and security professionals and their claims team, adjusters, experts and legal counsel have a better understanding of the current state and can therefore develop a better claims response and management strategy:
- Able to develop strategy earlier in the claims process
- Reduced claims expense
- Overall better claims outcome