Risk assessments are essential for cyber resilience and insurance
Cyber resilience is a concern for senior leaders, but a compliance driven approach isn’t good enough.
Cyber risk is one of the top risk concerns for senior leaders. Deciding to buy cyber insurance and how much risk to transfer is rarely straightforward. An increase in both frequency and cost of ransomware attacks over the last 3 years resulted in increases in premiums as well as restrictions in capacity and cover.
In today's interconnected world organisations face increasing risks from cyber-attacks on systems and data, including in the supply chain. Implementing security measures based on compliance frameworks set by external industry bodies to mitigate the risks can seem sensible. It gives partners and colleagues assurance that critical controls are in place.
However cyber compliance is different from managing cyber risk. Compliance with frameworks can be an important part of a comprehensive cybersecurity strategy, but it does not guarantee immunity from cyber threats. It could also give you a false sense of security.
Underwriters now expect more than compliance with a core set of controls
Many insurers responded to the evolving threat landscape by setting a minimum control baseline, with little or no capacity offered if evidence of core controls could not be demonstrated. Typically, such controls and processes include:
- Multi-Factor Authentication (MFA),
- privileged access management controls and procedures,
- vulnerability and patch management processes,
- use of monitoring and detection tools such as a security operations centre (SOC),
- security information and event management (SIEM),
- endpoint detection and response (EDR),
- incident response planning and testing, and
- evidence of a robust and regularly tested backup solution.
Implemented effectively these controls will help improve resilience, and cyber underwriters will recognise them, but risk assessments are increasingly important in the cyber insurance journey. Cyber underwriters now look far beyond adherence to regulatory requirements and industry standards.
It is important to consider a risk-based approach to develop cyber resilience by identifying and prioritising cybersecurity risks specific to your organisation. Buyers that are prepared to be proactive and able to discuss their organisation’s cyber risk journey with insurers, can make negotiations run smoothly and ultimately lead to a more fit-for-purpose cyber policy.
Risk assessments are key for businesses to be better prepared for the cyber insurance purchasing journey
A comprehensive risk assessment that considers the threat landscape and potential impact on operations, finance, data, and systems will allow for better quality discussions between cyber underwriters, brokers, Chief Information Security Officers, and IT security.
This risk assessment will inform the implementation of controls and procedures that are most relevant to your organisation. Developing cyber resilience before buying cyber insurance will likely have a positive impact on premium and retention levels, the amount of capacity available, and most importantly, your overall resilience to an increasingly challenging cyber landscape.
We can help
Zurich Resilience Solutions (ZRS) cyber team provide specialist risk management services to support you develop cyber resilience.
For further information or to discuss the issues raised in this article contact zrs.enquiries@uk.zurich.com or visit https://www.zurich.co.uk/business/our-expertise/zurich-resilience-solutions
