Is Cyber Insurance right for you?

Wow a big question, right? I can’t answer this for you, obviously I’d recommend that you consider cyber insurance, however I’d also recommend that you:

• Understand your business and it’s supply chain with regards to financials and linkages to cyber risk
• Understand your current cyber asset, threat, vulnerability and therefore risk landscape
• Ensure you have a good understanding to make informed decisions

I’m not going to write lots this evening on the subject, but I was reviewing a report and thought in line with some research that I started recently (but was side-tracked) and then have seen the report so purchased that instead! (Sometimes it’s easier to not do everything yourself right!)

Typical Insurance Questions

I believe that according to the Insurance Institute of London, based on research for their Cyber Insurance Research Findings report you will find these questions commonly asked by insurance providers.

Asset Management and Controls

• Do you have an effective access control policy implanted on your IT infrastructure especially the systems holding valuable data?

Patching

• How do you implement patch updates?
• Do you have a consistent timely patching process in place?

General Awareness and Staff Training on Cyber Security Risks

• Have your employees received regular cyber awareness training?

Phishing

• Are they regularly trained to detect phishing, social engineering and other fraud tactics?
• What control and systems are in place to detect such problems?

Backup

• Do you have an effect backup solution?
• How are your backups protected from a ransomware attack?

Security Monitoring

• Do you have an effective security information system in place to avoid with the detection of malware threats to your network?

Secure Design

• Have you implemented segmentation to protect critical assets against external threats?

Mergers and Acquisitions

• If you have recently acquired or merged with another organisation, did you carry out an appropriate level of due diligence, including a cyber risk assessment?

Supply Chain Security

• Do you regularly perform due diligence and audits on potential and current suppliers and their services?
• Does that include extended due diligence if they have network access?

Work Aid: Table of questions and responses

So without going into a long maturity assessment, I’ve put together a self help checklist for people to start thinking about their current state, if you were to respond to this truthfully, how complete is your coverage?

Category	Question	Response
Asset Management and Controls	Do you have an effective access control policy implanted on your IT infrastructure especially the systems holding valuable data?
Patching	How do you implement patch updates?
Patching	Do you have a consistent timely patching process in place?
General Awareness and Staff Training on Cyber Security Risks	Have your employees received regular cyber awareness training?
Phishing	Are they regularly trained to detect phishing, social engineering and other fraud tactics?
Phishing	What control and systems are in place to detect such problems?
Backup	Do you have an effect backup solution?
Backup	How are your backups protected from a ransomware attack?
Security Monitoring	Do you have an effective security information system in place to avoid with the detection of malware threats to your network?
Secure Design	have you implemented segmentation to protect critical assets against external threats?
Mergers and Acquisitions	If you have recently acquired or merged with another organisation, did you carry out an appropriate level of due diligence, including a cyber risk assessment?
Supply Chain Security	Do you regularly perform due diligence and audits on potential and current suppliers and their services?
Supply Chain Security	Does that include extended due diligence if they have network access?

Linkages to good practises

Does anyone notice a theme here? It links to a range of areas covered by Cyber Essentials but is more in line with IASME governance and ISO27001:2013.

Deciding if cyber insurance is a good investment, what would I do?

Ok so I designed a service which I named (it’s not a cool name) “The Enterprise Cyber Security assessment” (https://www.pwndefend.com/services/enterprise-security-posture-assessment/)

so, if you know me then you might see some similarities, I also made an e-book to help people do self-assessments based on simple yes and no responses to questions:

Cyber Security Assesments for Normal People

I also made a CISO getting started toolkit:

CISO – Getting Started Tool

https://www.pwndefend.com/wp-content/uploads/2022/03/Enterprise-Context-and-Sizing-Initial-Questionaire-Public-.xlsx

and there’s tons of other industry standard toolkits that can support and aid your investment decisions. However, let’s try and sum up what I would look at:

1. What’s my current state business financial model?
2. What’s my current state posture?
3. What’s my risk position?
4. What’s my cyber investment portfolio?
5. How well armed are we to identify, protect, detect, respond, and recover from real world cyber threats?
6. What does the insurance policy cover?
7. What is the cost of the policy?
8. What level of coverage does it provide? (Maximum pay out)
9. What is the excess?
10. What is required of the organisation to receive a pay out?
11. What happens in the event of an incident?
12. What does the insurance org look like?
13. How does the insurance align with the rest of the defensive cyber portfolio?
14. Who will ultimately decide on the purchase of insurance?
15. If insurance is purchased how does this affect the organisations appetite for investing in cyber defensive capabilities?

How is my posture, like how bad could it be?

I’d really want to know what my position is, I’d also want to make sure I balanced my view of financial investments, current state posture and really had the foundations in place to reduce the likelihood and impact for major cyber risks such as ransomware or extortion/business email compromise. I’d want to really know my business and its cyber landscape to be able to make that decision.

So, in short, I would want to ensure I understood the current state, understood my architecture, controls and gaps. Had a roadmap for improvement and had a budget plan for the next three years. I’d also want to ensure I had invested in people, that I had the right culture but also had the right supporting capabilities like EDR, MDM and platforms for securing and monitoring server applications and web systems. Oh, and let’s not forget backups. In short, I’d want to have emulated or simulated quite a few incidents that would cause a rainy day and then work backwoods. I’d purple team the hell out of myself before making decisions is the short answer.

I can’t decide or advise on what I don’t know, I can say this, whatever I want to defend, I attack, I research, I learn, I try to understand. That way I can have some assurance in making decisions with regards to “what next”. Not the clearest answer to the cyber insurance question, but it’s the honest one. I’d want to know a lot more about an organisation before I could contemplate it. Sizing up what that looks like is a project in itself, I don’t know about you but learning an org for me takes months not hours, If you can do it in hours/days please tell me your secret, I’ve been doing this for years and it still takes lots of time and effort, even if I’ve managed to get DA in 30 minutes… I don’t really know anything from that.