Q&A
Building a CyberInsurance Compliant Security Infrastructure
"Insurance companies are for profit, and they are losing a lot of money on CyberInsurance right now," says John O'Neill Sr. "So they're trying to tighten up those losses and make it harder for them to lose money when they pay out on these claims."
So what to do about that?
O'Neill Sr., a CyberInsurance expert and chief technologist at AWS Solutions, has the answers and regularly shares them as a sought-after speaker at live tech events where he helps organizations thrive in the evolving CyberInsurance landscape, forever changed by the years-long and still-going-strong ransomware deluge.
Next month he's going to be on the virtual road again in a hands-on TechMentor training seminar titled Building a CyberInsurance Compliant Security Infrastructure, taking place Sept. 7-8.
The workshop is for IT support professionals, cybersecurity pros and Chief Information Security Officers who must become, and remain, well versed in the nuances of cyberinsurance. When attackers strike and operations suffer, good cyberinsurance may make the difference between a few stressful days, or catastrophic monetary losses.
At the TechMentor event, attendees will learn:
- How to create advanced protection and recovery designs including Secure Fabric and Rapidly Deployable Secure Network architectures
- About creating effective Incident Response Plans, Business Continuity Plans, and Disaster Recovery plans
- The top things to do now, preventing compliance heartbreak at renewal
- Finish this seminar with the tools and skills to obtain CyberInsurance policies with the highest coverages, lowest deductibles, and lowest premiums
He might also help attendees create a CyberInsurance policies checklist like the one below that he used for a previous event in a different venue.
[Click on image for larger view.] A High-Level CyberInsurance Polices Checklist
We recently caught up with O'Neill Sr. to learn more about his event and CyberInsurance in general in a short Q&A.
Redmond: What's the difference between CyberInsurance and traditional insurance? Are there types of businesses that definitely need CyberInsurance, and others that can afford to skip it?
O'Neill Sr.: Traditional insurance and CyberInsurance cater to different aspects of risks and liabilities organizations face. Scope of coverage, nature of risks, claim triggers, needed expertise and rate of change are all areas of deep differences between traditional insurance and CyberInsurance. As the IT component of every organization's operation grows, the distinction between these insurance types becomes more evident, and the importance of having both becomes paramount. The coverages needed vary significantly based on how an organization operates, the customers it serves, and how they use technology. During this seminar, attendees learn the skills necessary to decide what CyberInsurance coverage they should get.
Does CyberInsurance cover you against all types of security attacks, or are there exceptions? What about cases of insider attacks?
CyberInsurance policies aim to cover a wide range of CyberSecurity attacks, but it's essential to understand that no single policy will cover all types of incidents without exceptions. The coverage largely depends on the specifics of the policy, the insurer, and sometimes even the premium paid.
"While CyberInsurance is a powerful tool in an organization's risk management strategy, it's essential to recognize its limits and ensure the policy aligns with the organization's specific risks."
John O'Neill Sr., chief technologist, AWS Solutions
While CyberInsurance is a powerful tool in an organization's risk management strategy, it's essential to recognize its limits and ensure the policy aligns with the organization's specific risks.
Say you're a partner with customers, and your customers have customers, etc. How far down the supply chain does CyberInsurance go?
CyberInsurance primarily covers the insured entity -- usually the primary organization that acquired the policy. However, given the intricacies of modern business relationships and the interconnected nature of supply chains, a cyber event impacting a customer, vendor or partner can cascade and affect the primary insured organization. As a result, many organizations are rightfully concerned about the cyber risk exposure of their customers, suppliers and partners.
Regarding CyberInsurance and the supply chain, areas to consider are direct coverage, contingent business interruption, customer and vendor requirements, due diligence and notification and liability clauses.
While a standard CyberInsurance policy may not directly extend down the supply chain, there are mechanisms, like CBI coverage, that can provide a level of protection against cyber incidents in the supply chain. Even so, businesses should proactively manage their supply chain risks by combining insurance with diligent CyberSecurity assessments, contractual requirements and ongoing monitoring.
When you're vetting a CyberInsurance provider, what are the red flags that organizations need to look out for? Any green flags? What are the biggest mistakes you see organizations making when they're choosing providers and plans?
Choosing the right CyberInsurance provider is crucial, given the digital threats companies face today. Let's delve into some things everyone should watch for when vetting a CyberInsurance provider.
First the red flags. Watch out for providers taking a one-size-fits-all approach or who have limited claims history. Also keep an eye out for a lack of clarity or a provider with inadequate response resources.
Now, the green flags. The best providers have specialized cyber teams, provide clear communication and proactive risk assessments, and work with reputable, stable underwriters.
Common mistakes organizations make when choosing CyberInsurance providers and plans include not properly engaging their stakeholders, overlooking exclusions, not regularly updating coverages and choosing price over coverage.
In closing, selecting a CyberInsurance provider is a nuanced process that requires careful evaluation. Organizations must be diligent, consult experts if needed and prioritize their unique needs over generic market offerings.
Say your company allows BYOB, or there's a lot of shadow IT happening for some reason. Are you still eligible for CyberInsurance, or are those types of environments considered too risky?
That's an excellent question, and it's one that resonates with many organizations today. The straightforward answer is yes; companies with Bring Your Own Device policies or prevalent Shadow IT can still obtain CyberInsurance. However, there are numerous factors to consider.
When employees use their personal devices for work purposes, there's a mingling of personal and professional data, which can introduce additional risks. The key here is how the organization manages and mitigates those risks.
Since Shadow IT is when employees use unauthorized software or applications without the IT department's knowledge, it poses significant challenges for the IT department to ensure CyberInsurance policy terms and conditions are consistently met. IT teams are regularly unaware of the vulnerabilities introduced by employee Shadow IT efforts. It's hard to secure a system you don't know exists. Insurers will want to understand how pervasive Shadow IT is within the organization and what measures are being taken to detect and manage it.
In both cases, the underlying theme is risk management. CyberInsurance providers aren't expecting a zero-risk environment -- such a thing doesn't exist. But they do want to see that companies are aware of and actively managing their risks.
Biggest takeaway you hope attendees of your workshop will have -- go!
My goal is that all attendees walk away with confidence, knowing they are better armed and better prepared to defend and recover from all cyber threats facing their organizations.