If you’ve ever suffered through the application process for cybersecurity insurance, you know that “suffered” is the right word because of a triple whammy.
First, the general risk factors involved in cybersecurity are constantly changing – consider the rapid rise in ransomware, for example.
Second, it is extremely labor-intensive for businesses to document how “safe” they are, in terms of their security maturity, policies, practices and technology.
And third, it’s hard for insurers, the underwriters, and their actuaries, to feel confident that they truly understand how risky a potential customer can be — information and knowledge that’s required for quoting a policy that’s offers both sufficient coverage at reasonable rates for all parties.
That is, of course, that everyone is on the same page and agrees that cybersecurity insurance is important to consider for the organization. Is cybersecurity insurance a necessary evil for every company to consider? Or, is it only a viable option for a small few? That's a topic for a separate conversation. For now, let’s assume that you’re applying for insurance.
From their part, insurance carriers aren’t equipped to go into your business and examine your IT infrastructure, examine firewall settings, and audit your employee anti-phishing training materials. Instead, they rely upon your answers to questionnaires developed and interpreted by their own engineers. Unfortunately, those questionnaires may not get into the nuances, especially if you’re in a vertical where the risks are especially high, and so are the rewards for successful hackers.
According to InformationAge, 77% of ransomware appear in four industries: 77% of all detected ransomware globally was in four main sectors – business & professional services (28%), government (19%), healthcare (15%) and retail (15%). In 2016 and 2017, healthcare organizations like hospitals and medical practices were repeatedly hit by ransomware. Give that to the actuaries, and they might look for those types of organizations to fill out even more questionnaires.
About those questionnaires: “Applications tend to have a lot of yes/no answers… so that doesn’t give the entire picture of what the IT framework actually looks like,” says Michelle Chia, Vice President, Zurich North America. She explained that an insurance company’s internal assessment engineers have to dig deeper to understand what is really going on: “They interview the more complex clients to get a robust picture of what the combination of processes and controls actually looks like and how secure the network and the IT infrastructure are.”
Ms. Chia continues that the process of applying for Security & Privacy insurance – and the process must be repeated each year, with updated information – can be a good exercise for a company’s IT and security staff, because it forces them to examine their own policies and practices at the highest level. “It’s imperative that the CISO be involved. They know the controls – without showing that they have adopted a mindset of resilience rather than just protection the insurance provider can’t provide the best policy and coverage.”
After all, insurers define what's required in order to get a Security & Privacy insurance policy, and they also determine what premium discounts will be offered.
Bring the CRO (or Risk Manager) and CISO Together
Ms. Chia warns that in too many organizations, the Chief Risk Officer (CRO), or risk manager, doesn’t always engage with the CISO when working on an insurance quotation. Why? “Historically IT sees Security & Privacy insurance as a knock on their capability. While that’s not necessarily true today, the CISO should be confident in what they are doing to protect the business, and know that insurance provides a backstop for the unforeseeable event.”
Organizations with successful programs recommend that the conversation and education process should be continuous both internally and with our insurers. “From our perspective, it’s crucial that we are ‘on the same page’ in our discussions so that we are clearly communicating our capabilities, fully understanding the expectations of insurers, and fully demonstrating our organization’s commitment to cyber defenses, said Keith Lindloff, Director Insurance Services at Children’s Health in Dallas, TX.
Here’s a way to shortcut the process: If the organization can document formal, certified compliance with existing, well-accepted security process frameworks, an insurer can use that documentation as part of the risk-assessment process. Those standards include the broadly accepted NIST Cybersecurity Framework (CsF), the accounting industry’s SOC, and HIPAA standard for any organization involved with healthcare or personal medical records.
There are even vertical-industry associations, like the HITRUST Alliance, whose HITRUST CSF cybersecurity framework not only encompasses healthcare best practices, but embraces everything relevant in the NIST CsF, SOC and HIPAA certifications. For hospitals, medical practices, and others doing business in the healthcare industry, demonstrating compliance with the HITRUST CSF is a “certify once, document many” step that can not only lead to better security practices internally, but also compliance across many regulations and standards with the unique option to present third-party risk assurance throughout the healthcare supply chain with which they rely upon— this makes it easier to interact with Security & Privacy insurance companies.
How does that work? Because Security & Privacy insurance underwriters like Zurich North America or brokers like Willis North America have a baseline level of confidence in the previously-mentioned, established and widely-recognized common security frameworks. They can often substitute documented compliance with those standards with in-depth examination by their own risk engineers, resulting in a streamlined application process, as well as potentially lower rates, because their actuarial tables allude to the idea that organizations who can demonstrate compliance with those standards suffer fewer breaches. In many cases, when they are breached, they often respond more quickly, more effectively, and with smaller losses that insurance companies need to pay out for.
It’s a win-win, says Ms. Chia. “What HITRUST brings is the industry standard assessment report for healthcare organizations that is very similar to what the risk engineers at Zurich and Willis are doing during the application review process. Having the industry-standard risk report from the client removes the need for the engineer assessment, and removes the need to duplicate the assessment and by filling out yet another application. Now the healthcare organization can just complete the HITRUST certification, and Zurich uses the report to provide an insurance proposal that includes a lot of bells and whistles that you wouldn’t normally get. If you are HITRUST certified, you have adopted a mindset of resilience rather than just protection. If you identify all possible risks and have an action plan in place are you will prove most resilient and quickly get back to meeting the expectations of your customers and your shareholders.”
Sanjeev Sah, Chief Information Security Officer at Texas Children's Hospital in Houston, agrees. “Insurers ask questions that look at security measures before coming back with a coverage plan and pricing. If they can utilize the common framework and related reports as a trusted alternative, it provides them value and reduces the effort required by the organization seeking insurance. If you are CSF-verified, insurers should have a level of confidence that you are doing what matters when it comes to protecting healthcare information and managing business risk; they are incentivized to provide better pricing and better coverage for certified organizations.”
Another hospital executive, Pamela Arora, Senior Vice President and Chief Information Officer, Children's Health in Dallas, TX, makes the same point, and encourages widespread acceptance of third-party-enabled risk management frameworks like HITRUST CSF. “Children’s Health is HITRUST certified. If insurance firms and regulators support privacy and security certifications such as this, the market will surely follow. In that instance, it wouldn’t be just a few voices pushing partners to adopt measurable frameworks, rather it will amplify that direction with the industry as a whole driving that change; driving efficiencies into and across the entire healthcare industry.”
“Industry standard reports for third party risk like that found with the HITRUST CSF helps close communication gaps in that it provides third-party, objective validation that our organization has appropriate cyber security controls in place in our environment,” added added Keith Lindloff, Director Insurance Services at Children’s Health in Dallas, Texas.
What’s the answer? Before you fill out the insurance application, make sure you are certified to the relevant industry and government standards. NIST CsF, certainly, SOC if it applies, and if you are in a vertical like healthcare, consider a standard framework and risk management program that has been adopted by the industry at large, which covers all of the standards with a single assessment and compliance certification program. With certifications in hand, you’re in a better position to acquire a solid cybersecurity insurance program that covers your business risk – and negotiate a good price for it too.
About Alan Zeichick
Alan Zeichick is Principal Analyst at Camden Associates. A former mainframe systems analyst, Alan has been in the technology industry since the early 1980s, and focuses on software development, networking, communications and security.