Be sure to read the complete article as the requirements for Cyber insurance have changed vastly in the past 12 months. At Varsity, we often receive requests to respond to audit questionnaires or surveys from brokers. Although the process may seem different, the changes and expectations are significant. All organizations, regardless of past experience, should assume that requirements for Cyber, but also E&A and General Liability will continue to evolve to be more stringent especially around the customer’s requirements and share of responsibility.
What to Do
- Start reviewing your insurance coverage with your broker (not your insurer!)
- Don’t submit your survey’s or audits without first talking to IT
- Review your IT Cybersecurity
Where to Begin
Depending on your risk needs and any compliance requirements you might have I recommend that you start with reviewing your current cybersecurity policies. Note that the issue here is policies, not your tools. Often IT folk will talk about this solution or such-and-such product. The reality is that insurers are following guidelines set forth by standards organization and applying Cyber Security frameworks like NIST and CIS. Those frameworks, which Varsity does follow, outline the need for policies, procedures, and management practices to make sure these things are working correctly.
Here is how to step through this first phase:
- Gather your policies on Cyber and Information Security including employment agreements and your employee handbook.
- Meet with your leadership team and identify a Compliance Officer (should not be your IT person)
- Conduct a specific meeting to review your findings
- Take meeting notes and identify actions that need to be taken
Now this may seem a bit much, but insurers and auditors are looking for oversight. Not just the tools. And more importantly, your methods work to protect your organization. Oversight and accountability are critical and are a step to protecting your organization and maintaining continuity.
Next, conduct an inventory of the solutions you have in place and what if any management reports are available from those tools. Your reports should demonstrate what is working and any identifiable risks like unprotected computers, potential malware, or unauthorized access. You don’t have to be an IT expert to be able to interpret most of these reports. It is common for them to show red, green, and yellow statuses. Red is bad and at least deserves some investigation.
None of this is intented to be alarming. In fact, this is a systematic approach to operations management. It just so happens that the management methods are being defined by a third party and being enforced by your insurer. Why? Your insures want to mitigate their risks of a payout. And from the billions spent in payouts in the last few years, they now know that the customer must be prepared to protect against an actor. IF they don’t, it is nearly guaranteed that a cyber incident will occur and that the insuere could be paying out tens if not hundreds of thousdands of dollars.
In our post next week, we will walk through each of the requirements of the Cyber insurance policies from ransomware and education, to monitoring.