10 Ways To Reduce Your Insurance Premiums
Purchasing Cyber Insurance Along with Other Insurance Coverage
In light of all of the attacks and breaches, although expensive, many organizations are purchasing cyber insurance along with other insurance coverage. How can organizations reduce insurance premiums by reducing claims and costs of a breach? Below are some very basic actions that organizations can take to lower premiums.
Many industry experts have stated, that it’s not a matter of if an organization will be breached, it is a matter of when. Therefore, a comprehensive, detailed incident response plan is critical. Most importantly, it should enable quick containment of the attack to reduce the volume of exposure. This in turn, reduces the loss. Creating a solid incident response plan is another topic, but sufficed it to say, it requires the right people with the right skills, process and technologies for quick attack identification and remediation.
Use multi-factor authentication before providing anyone access to key servers, applications, systems or data and always use multi-factor authentication for remote access. These two processes make it much harder for unauthorized persons to steal sensitive data — it’s just like locking the door and the deadbolt to prevent a break-in.
Data and Device Encryption
Data and device encryption is especially important for laptops and USBs. If they are fully encrypted, the risk of exposed or lost data is extremely low, but devices must also include a lock. If the data cannot be read, it is useless to the thief and data cannot be exposed, so no cyber insurance claim is needed.
Mandatory Continuous Security Awareness Training
Awareness has been shown to reduce the risk of a cyber-attack. It is often said that the weakest link in a cybersecurity program is “people”. However, one method of improving your odds is through continuous security awareness training. We have found that people often become more engaged if information security is explained in a way that personalizes it for the user. For example, employee awareness of using strong passwords and multi-factor authentication in their personal banking, shopping and other personal business can also be applied to the same concepts for use in the workplace.
Use a Managed Security Services Provider (MSSP)
Some insurers will reduce premiums if a company can demonstrate that it is using a well credentialed Managed Security Services Provider (MSSP). These firms provide a number of services from intrusion protection, endpoint protection, vulnerability scanning, security incident event management, incident response and more. This can be especially helpful if it is not possible for companies to hire all of the experts needed to provide similar services.
Retain a Third-Party Forensic Firm
Cyber Forensics is such a specialized field that it is usually best to retain an outside firm that specializes in cyber forensics. Their experts can help identify any data loss, how it was accomplished and what how to remediate. This is particularly important for any legal action that may result from the incident.
Board Involvement in Information Security Program Oversight
If the board of directors is not engaged in oversight of the information security program, if a breach does occur, regulators or litigants will note this gap in their responsibilities. In addition, board support for information security plans with a clear understanding of the outstanding risks means that information security will rise on management’s radar as well. Although this puts a spotlight on information security, it is likely that engaged management will encourage an engaged workforce, providing more resources for prevention and incident response, thus lowering claims frequency and the amount of data loss.
Separating Information Security and IT to Ensure Impartiality
If CISOs report to the CIO, there is always the possibility they will intentionally or unintentionally withhold findings or discrepancies that would adversely impact the IT department. A CISO who reports to another department such as, Compliance, may not have as strong a relationship with IT staff, but can be more objective in their assessment of IT operations relative to security. This independence will be viewed more positively by third parties, including customers, thus reducing the likelihood of claims after a breach.
New Technology and Vendor Evaluation
If a breach is caused by a new technology or vendor introduced into the IT environment without completely vetting the impact of regulatory body decisions and possible litigation will be far worse than if due diligence was done and fully documented. There are several free resources available to help organizations set up a good vendor risk management program.
Regular External Third-Party Information Security Risk Assessments
Some insurance companies require annual external assessments. Even if this is not the case, having an objective set of eyes going over your info sec program from stem to stern will tell you where the gaps lie. Interim third-party intrusion testing is highly recommended because they will proactively identify and also expose possible risks. Organizations should ensure the results are risk rated and prioritized, since it is critical to use your organization’s resources as prudently as possible.
Most important, talk with your carrier. Many of them have a wealth of information security knowledge and recommendations. They can guide organizations on how to prioritize information security projects to save the most money on insurance premiums and claims.
Author, John Brady, CISSP is Chief Information Security Officer of Secure 24. He provides information security advisory services to clients. in addition to his leadership role in the company.