By Tom Beale, CTO, Corax
Today, companies are facing the difficult challenge of encouraging employees to innovate with data while managing the tricky security conundrum this has become. Underwriters are faced with the even bigger challenge of understanding and assessing potential business interruption introduced by dozens of new dependencies that didn’t exist five, ten years ago.
Here are ten of the new questions underwriters should be considering when assessing risk in today’s new cyber security insurance landscape.
1. How Much Data has the Client Got, and What Type of Data is it?
Many organisations actively collecting data don’t know what they’ve got or why they’ve got it, which is a dangerous situation to be in.
So underwriters need to be asking: is this business in the data collection business or not? Case in point, many large retail organisations that have been collecting credit card related data for years have recently begun outsourcing their credit card processing in a way that means that credit card data never touches their own network. It means reducing liabilities associated with credit cards while lowering risk.
2. What is the Client’s Security Culture?
Security culture is quite complex and pervades every element of a business. It’s definitely not just an IT issue or a function of your security department. It’s contractual and a function of purchasing and legal, and it starts at board level as well. What does the tone from the top look like when it comes to promoting a solid security culture?
3. What About Staff and Third Party Contracts?
If you’re looking at an organisation and trying to understand its approach to security, the people that it employs are very important. Companies that don’t think about this structural and cultural element of a business are more frequently the victims of attack.
Human error accounts for a huge amount of vulnerability, and it’s not even necessarily your own people. Often companies find themselves in weak positions because their software providers can’t patch systems because they may be using an older operating system or running some sort of custom software.
4. Does the Organisation Have a CIO, CDO and CSO?
If a company has senior people in these roles, they may be in a better position to make informed decisions surrounding data.
Not every company can afford a Chief Security Officer, but we’re starting to see more third party outsourced CSOs and security monitoring services, especially amongst SMEs.
5. How Long Has the Organisation Been Around?
Age and size are important criteria when it comes to security. Youngerorganisations are more likely to have grown up with more security conscious systems and practices and more likely to secure data in the cloud.
Age and size may not be a problem if a company is serious about its view to investing in the business for the purpose of security, robust infrastructure and training.
6. How Many Systems Does the Company Have?
Similarly to the point above, bigger, older organisations are likely to have more assets and less idea of exactly how many they have. This is a major concern as it only takes one asset to become vulnerable for malware to be introduced.
It’s also critical to drill down further and look at whether an organisation has systems that were built in isolation from one another. When an organisation does not take a global approach to building its systems, they may be more vulnerable to threats.
7. Attitudes and Approaches to Security IT
Today, underwriters should be very interested in understanding what percentage of revenue a company spends on security related IT. It’s useful to watch if that percentage goes up or down in order to gauge how committed a company is to security.
8. Are Their Own Products Secure?
It’s also useful to watch whether organisations are building security into the products they are creating. It’s understandable that companies want to get new products out to market quickly, but if they are not being built with security in mind, this is a real concern.
9. How is Outsourcing Handled?
Outsourcing is not bad – it’s a fact of life. It is how a company manages its outsourcing relationships and its third parties’ access to its infrastructure that help us in assessing its vulnerability.
Underwriters must also try to find ways to look at the ripple effect and the inherited risk from all third parties and their respective third parties.
10. The Infrastructure to Employee Ratio
When looking at large businesses, it’s also useful to apply an ‘infrastructure to employee ratio,’ which looks at the business from an asset perspective, investigating how a company invests in technology in line with the number of employees it has. If a business has a large number of employees but also invest significantly in its infrastructure regularly, this is a positive sign.
Cyber risk can no longer be considered just an IT problem. When assessing the immediate financial loss that might result in a client suffering some form of business interruption event, underwriters are moving beyond IT and considering whether companies have a proactive security culture, and whether they have put the right people in place to understand data and how to best keep it safe. It’s also about looking at the people within, the outsourced agreements and how these are managed.
The ten questions above represent only a few of the new complexities underwriters are considering within today’s new threat landscape, but combined with the use of technology to make cyber risk analytics more transparent, underwriters are better prepared than ever before to ensure they fully understand the scope of cyber risk.