Validating Insurance for IT Solutions

Validating Insurance for IT Solutions

Print Friendly, PDF & Email

Recently the Cybersecurity & Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security began recommending that cybersecurity insurance firms encourage the implementation of best practices by basing premiums on an insured’s level of self-protection and cyber risk management.

However, optimizing insurance rates is only part of the picture. The other parts are (1) optimizing your coverage based on your actual risk picture, so that you don’t have gaps in coverage and (2) understanding what cyber incident response requirements your insurance may impose – for example, what must be done within the first hour of an incident. It’s important to know what is and isn’t covered, and what response capabilities must be in place, to assure that coverage stays intact and incidents won’t be disqualified resulting in a company-crippling or company-ending event.

Cyber Risk Management

The Advisen Cyber Risk Insights Conference in New York is the largest cyber risk conference for risk and insurance professionals in the world. RIMS, the risk management society®, is the preeminent organization dedicated to promoting the profession of risk management.  At both the Advisen and the RIMS most recent conferences Brokers, Carriers and Risk Managers talked about how to elevate the Risk Management of Cyber Risk.

“Better cyber coverage and better pricing for going beyond the application and demonstrating what improvements you have made and what you have planned.”  (Global Insurance Broker)

“Brokers should be helping Clients to demonstrate improvement.” (Global Insurance Broker)

Unfortunately, there is demonstrated general uncertainty regarding the levels of insurance coverage from cyber impact and how that should relate to cybersecurity controls.

A leading executive at a major broker in this space recently advocated that their clients should invest more in IT security improvements, like “DLP [Data Loss Prevention], end-point security, malware . . .”, but when asked if he could help his clients with deciding what improvements to invest in and what return on investment to seek, his answer was, “. . .well that is really difficult to do . . . so no.”

The problem is that the solutions available currently from Brokers and Carriers are primarily reactive, and those that are proactive are just brushing the surface by offering consulting services that focus on improving their clients’ reactive tactics – such as breach response and company policy review – which, while important, do not add enough value.

The Cyber Insurance Challenge

This leaves well-intentioned risk and security managers, as well as executive leadership, in a frustrating and untenable position.  The conventional belief is that organizations are not investing enough in insurance, but often there is simply not enough information or guidance to provide a basis for informed insurance decisions.

What that major broker executive did not know is that there is an existing methodology that delivers a superior IT Security and Risk Management result that is proactive and ensures that the risks, controls and business value are all understood.

This applies not just to information system and IT infrastructure deployments, but to IoT deployments as well, including electronic physical security systems.

As insurance carriers transition away from from their currently very low competitive insurance rates, and begin setting their coverage and rates based on their clients’ security profiles, any manager or executive with responsibility for information-based systems must have – or be part of – a cyber risk management program that addresses the full spectrum of cyber liability risk.

Thus, RBCS and VBR Consulting (VBR stands for Value Based Risk) have teamed up to provide an independent opinion, along with tools, so that  your organization can achieve a greater understanding of the cyber risks and the potential insurance solutions, and thus have better-informed internal conversations as well as with your brokers and insurers. VRB Consulting’s cyber/IT solutions insurance specialist, Grace Crickette, ARM, CGEIT, CCEP-I, CCSA, SHRM-SCP, and SPHR, has been named as one of Business Insurance’s Women to Watch, one of the “100 Most Influential People in Finance”, and the 2012 Information Security Executive (ISE) of the Decade. Grace is an alum of the University of Redlands and Harvard Business School.

The Value Based Risk insurance coverage evaluation methodology supports risk managers, CSOs, CISOs, their insurance brokers through a service model includes improved submission, underwriting review, loss analysis modeling, security assessment offerings, claims resolution, and create superior service for brokers’ clients.

Relating Risk to Business Value

IT security controls and best practices aren’t implemented in a vacuum. Their context is Risk Management, which generates the understanding of what controls and best practices to apply based on the value to the business and to the execution of its mission.

Our Insurance Optimization services include:

Step Service Method
1 Risk assessment & strategy development The information security risk assessment (Cyber Risk/Security Questionnaire)
2 Tailored risk management and insurance
program review
Risk management and insurance program matrix that aligns with security
exposure. See Table 1 below.
3 Optimization Roadmap Provide multi-year roadmap plan to achieve strategic goals in a structured,
timely and cost-effective way; that is measurable and trackable.
4 Consultation Assist your internal and external teams
5 Claims advisory Optimize your claims recovery

Key Deliverable Documents

Evaluation Report. A comprehensive review and evaluation of your insurance policies based on your operational activities.

Risk and Coverage Rating Matrix Tool. The Risk and Coverage Rating Matrix rates all your insurance policies relative to your operational activities (abbreviated sample below).  This service highlights areas where your organization can obtain coverage improvements. The Risk and Coverage Rating Matrix is a tool to advance your organization’s understanding of cybersecurity insurance and what you are protected against.

Table 1. Abbreviated Sample of VBR Consulting’s Risk and Coverage Rating Matrix

Category Loss Items Property General Liability Kidnap & Ransom Errors & Omissions Crime Cyber
Assets Destruction, corruption or theft of your electronic information assets/data due to a breach of computer or network security. Partly Adequate Inadequate Inadequate Inadequate Partly Adequate Adequate
Business Interruption Business interruption loss caused by a material interruption to your computer systems due to a breach of computer or network security. Partly Adequate Inadequate Inadequate Inadequate Inadequate Adequate
Data/Privacy Breach Costs First party privacy breach costs including Forensics investigation, Notifications, attorney costs, call center, and credit monitoring. Inadequate Inadequate Inadequate Inadequate Inadequate Adequate
Data/Privacy Liability Defense and liability for failure to keep information private or for failure of others that you have entrusted with information to keep it private. Inadequate Inadequate Inadequate Partly Adequate Inadequate Adequate
Information Technology Security Liability Defense and liability for failure of IT systems to prevent spread of virus or a denial of service to those that rely on systems due to a failure in network security. Inadequate Inadequate Inadequate Partly Adequate Inadequate Adequate
Operational Technology Security Liability Defense and liability for failure of OT systems to prevent spread of virus or a denial of service to those that rely on systems due to a failure in network security. Inadequate Inadequate Inadequate Partly Adequate Inadequate Adequate
Regulatory Defense and Fines Defense and penalties imposed (where insurable) in connection with a regulatory action brought as a result of the unauthorized release of personal information Inadequate Inadequate Inadequate Inadequate Inadequate Adequate
Cyber Extortion Costs of consultants and extortion monies for threats related to interrupting systems or releasing private information. Inadequate Inadequate Adequate Inadequate Inadequate Adequate
Cyber Terrorism Security breaches or cyber extortion attempts likely with a political motivation. Partly Adequate Inadequate Adequate Inadequate

Adequate

Call Ray Bernard directly at 949-714-681--235981435-46 to schedule a phone call to discuss how a Value Based Risk insurance coverage evaluation would work for you. Or read further below to learn more.

Questions Needing Answers

How much risk does the insurer absorb if there’s an incident? Given the pervasiveness of breaches and hacking, would you say it’s not IF a company will be breached but WHEN? How robust does cybersecurity insurance have to be? Does it depend on what type of industry a company works in? As companies use more IoT connected devices, how does that affect cybersecurity insurance? How will it change in the next 5-10 years? In general, what is the biggest mistake CISOs and security managers make when looking to buy cybersecurity insurance? How important do you think it is for companies to have cybersecurity insurance?

Value to You and Your Insurance Brokers

Step 1: Risk assessment & strategy development Step 2: Tailored risk management and insurance program review Step 3: Optimization Roadmap Step 4: Consultation Step 5: Claims Advisory

Exploratory Phone Call

Call Ray Bernard directly at 949-714-681--235981435-46 to schedule a phone call to discuss how a Value Based Risk insurance coverage evaluation would work for you.

Your financial loss will depend on your deductible (risk retention), the coverage terms (not all expenses may be covered), and the amount of coverage you purchased (the loss might exceed the limits of your coverage). You might also have compliance issues (fines and penalties) that are not insurable by law (public policy). Impact of the loss may also include reputation risk, loss of accreditation/certification, and operational disruption including but not limited to loss of revenue. You may also have a delay in receiving coverage determinations due to having multiple polices that insure you for the same exposure.

We show you how your insurance coverage can be integrated into an overall risk mitigation strategy. You can leverage your insurance program to:

  • Provide a holistic cover for Information Technology
  • Address issues associated with Information Technology Partners
  • Drive the Governance of Enterprise Information Technology
Yes, but the most common loss is data/system compromise that may not arise from a breach or a hack, rather data exposure or data loss. These losses can also easily exceed $1m in claims cost and occur with greater frequency than a breach.
Align the limits and terms of your coverage to the data that you have – meaning that the nature or sensitivity of the data along with the number of data records should be primary in your evaluation. While you want to understand the strength of the systems where the data resides (your own or a business partner’s) you should assume that the system is always at risk and that if you can understand, manage and reduce the data at risk, and have a holistic insurance program that provides for your data anywhere and at anytime, then you will have a “robust” insurance program.
Fortunately for the insurance community, both buyers and sellers are monitoring IoT: vehicles, medical devices, appliances, utilities, etc. are all top-of-mind, and the insurance market and captive insurance programs are designing bespoke products and solutions for IoT.
Failing to maintain sufficient insight into and awareness of ongoing exposures, resulting – for example – in being ill-prepared to answer board level and senior executive questions and informatively discuss the issues they raise.

Partner with your Chief Risk Officer and other experts not just during the insurance buying process, but throughout the year with evaluation of the risk. Put in place a Security Enterprise Risk Management Program (SERMP) or enhance your existing program, to help you and the CRO keep a pulse on the exposure/risk and allow you to be prepared to present your organization in the best light to the insurance underwriters and obtain the broadest coverage at the optimum price for your organization.

This will also make you better prepared for Board meetings and reporting on IT Risk in the language of management.

It is important to manage:

  • Financial Risk – no one budgets enough for losses (failure)
  • Operational Risk – buying insurance helps (forces) you to plan
  • Reputation Risk – if you have a plan, you can respond better
  • Compliance Risk – if you prepare and respond well you are likely to reduce missteps that can lead to regulatory violations

It’s not necessary or desirable to eliminate all risk. But it is necessary to have sufficient insurance in place reduce the impact of what would otherwise be business-ending/business-crippling incidents.

Our Offering:

  • Current cyber risk & security state assessment
  • What is your meaningful cyber risk exposure?

Value:

  • Know the actual risk exposure of the most critical business assets (those that matter the most to the business, and those that are of greatest interest to threat agents) and how cost-effectively they are controlling it.
  • Learn the actual risk exposure of the most critical business assets (those that matter the most to the business, and those that are of greatest interest to threat agents) and how cost-effectively you are controlling it.
  • An enhanced questionnaire and submission process that adds value to the insuring process and to the clients overall ability to understand what is at risk.By knowing and evidencing clients’ depth and breadth of cyber risk exposure in business terms, and quantified and qualified threat opportunity the submission is improved:
    • the risk is better understood so that the broker can help the client make better decisions on retentions and limits
    • the optimum coverage terms and pricing can be obtained, and
    • the carriers gain even greater trust in the broker
  • Completing Cyber applications and questionnaires can be challenging for risk managers and others who do not have the technical background that the Chief Information Security Officer (CISO) or CIO possess. This can lead to key assets not being identified and understood which can result in gaps in coverage and missed opportunities such as coverage enhancements.Our methodology translates the IT environment into understandable and quantifiable information that allows all parties in the organization and insuring process to speak the “same language”.
Our Offering:

  • Uncovers your overall insurance program coverage position
  • Provides a review and evaluation report of your key cyber insurance policies based on your operational activities.
  • Our Risk and Coverage Rating matrix is a comprehensive review of all insurance policies relative to your operational activities
  • This service highlights areas where organizations can obtain coverage improvements
  • The Risk and Coverage Rating matrix is a tool to advance your organizations understanding of cybersecurity insurance and what you are protected against

Value:

  • Become a trusted and strategic resource to your organization by providing a superior insurance solution and delivers a roadmap to achieve strong cyber risk exposure mitigation – in a structured, timely, and cost-effective way that is objective, transparent, and measurable.
  • Achieve cyber risk exposure / protection goals that ‘matter most’ to ‘who matters most’. Gain a multi-year enterprise strategy to achieve this cost-effectively.
  • Our methodology will result in a tailored program that will align with your greatest cyber risk exposure strengths and weaknesses; and the greatest opportunities to reduce cyber risk exposure:
    • the methodology improves your dialogue with your insurance partners (brokers, carriers, etc.)
    • value provided for both security and insuring improvements, and
    • ongoing monitoring of improvements leads to enhanced ability to negotiate improved coverage terms
  • Provides the Risk Professional with a risk assessment process that is understandable and valuable to their entire organization. Supports collaboration between risk managers and IT security professionals. Addresses risk assessment, governance needs and provides the foundation for internal audit risk based audits.
Our Offering:

  • Tailored risk management security program multi-year business plan to achieve strong security value
  • Prioritize the most cost-effective controls to gain protection / control risk exposure

Value:

  • Ability to clearly articulate with confidence that you have a plan to achieve strategic goals in a structured, timely and cost-effective way; and that this is measurable and trackable.
  • Have the right business plan to implement the strategy cost-effectively; leveraging existing resources, and choosing the right people, partners, and technologies to meet strategic goals and objectives.
  • Ability to advise their organization to prioritize specific Critical Success Factors (CSFs) and to measure Key Performance Indicators (KPIs) to ensure cost-effective delivery of security controls to best mitigate cyber risk exposure.
  • Clear communication on effective strategies (why, what, where, when) and tactics (how, who) to decrease cyber risk exposure.
  • In underwriting meetings, be better prepared to discuss your business and risk profile and explain why your organization has chosen to or not to implement tools and controls and what coverage you really need.
Our Offering:

  • Tailored security controls roadmap and business plan to deliver specific controls and greater understanding of the exposures and assets at risk.

Value:

  • For Brokers: Enhanced understanding of client’s risk and integrated controls for crafting the optimum coverage terms.
  • For Client Organizations: Have the right plan to leverage people, process, technology, and partners to deliver a specific control cost-effectively – and to integrate controls effectively into protection-multiplying frameworks to best control cyber risk exposure.
  • For Client Risk Professionals: You’ll have:
    • Confidence that the coverage terms are addressing what is at risk in your IT and data environment.
    • A helpful tool for reviewing and checking the policy terms prior to binding coverage.
  • Policy Delivery: Our methodology will provide you insight into what needs to be insured – what assets are at risk which enhances ability to achieve contract certainty. The methodology identifies:
    • Data at risk
    • Assets at risk
    • Systems architecture
    • 3rd party dependencies
    • Aggregate risk exposure
Our Offering:

  • Checks and balances for security goals, strategy and tactical performance
  • Evidence to align and guide strategy and tactics

Value:

  • Our methodology sets you up for success if a claim needs to be made. You have evidenced the due diligence in evaluating your risk and you understand in depth your right to recovery.
  • You can demonstrate both to your Board and regulators that despite loss (claim) that this was an understood and controlled risk; and there has been investment in control of cyber risk to a demonstrable and justifiable risk appetite – evidencing due diligence.
  • Strengthened ability to negotiate claim resolution.
    • Brokers can demonstrate whether or not clients performed due diligence and effective control of risk
    • All parties can make decisions based on objective facts that matter
  • The risk and security professionals and their claims team, adjusters, experts and legal counsel have a better understanding of the current state and can therefore develop a better claims response and management strategy:
    • Able to develop strategy earlier in the claims process
    • Reduced claims expense
    • Overall better claims outcome