Risk – we deal with it every day. It’s present in small, personal ways (“Should we give the local pizza place a fourth chance after getting our order wrong three prior times”?) and it’s present in big business decisions, such as entering a new market or debuting a new product.
There are multiple ways to address risk, including acceptance, avoidance, reduction and the topic of this post – transference. Transferring risk is an efficient and effective way for an organization to spread a potential negative impact across a larger surface area to lessen the financial burden of a harmful event. Of course, transference does not remove 100 percent of a risk from an organization, though it does bring in a third party to share its weight.
Transfer risk with cybersecurity insurance
Cybersecurity insurance is a common way for organizations to transfer a number of specific risks related to:
- Services provided to customers and clients
- Privacy and sensitive data considerations
- Operations and back-office processing
- Security and network protection
Cybersecurity insurance requirements
Organizations seeking cybersecurity insurance must first understand what requirements and control expectations would be necessary for the desired coverage. Each carrier has its own menu of requirements, which can range from single to double digits, and involve varying levels of baseline security best practices and expectations.
Whether it’s a vulnerability assessment, multi-factor authentication or mobile device management, cybersecurity insurance carriers require controls to protect their interests. Underwriting scrutiny is more intense than ever due to a higher level of threats and the increased prevalence of remote work.
Find compatible cybersecurity insurance
Just as carriers have stepped up their scrutiny of applicants, companies should also be discerning in their choice of cybersecurity insurance. Treat your initial review of carrier options as a job interview; after all, you’re seeking a strategic partner for risk transference so it is important to ensure compatibility. Ask questions related to the carrier’s history, response time, references from other customers and other factors.
Assess your readiness for cybersecurity insurance
Before an evaluation by the insurance carrier, companies should take stock of their key cybersecurity controls. Whether it’s conducted by internal IT staff or an external risk advisor, like RKL, this review should include:
- Determination of which basic controls are in place and whether they have been operating effectively over a period of time
- Plan to prioritize any identified gaps
- Assess the use of controls and what policies are in place to support them
Maintaining cybersecurity insurance coverage
Once cybersecurity insurance is obtained, it has to be maintained. Much like a new diet, it is a change in operational lifestyle for the organization that must be continued over the long term for best results. What’s more, noncompliance with policy requirements can jeopardize coverage.
Make sure to continually meet expectations, and remember to anticipate new ones over time. Communication is a big part of this – keep in touch with your carrier to discuss emerging concerns and find out if new requirements related to security practices or cost changes are around the corner.
Once the necessary programs are in place to maintain coverage, organizations should conduct annual checkups to make sure these controls remain suitably designed and are operating effectively. This will reduce concerns about nonconformity with carrier requirements and promote good cybersecurity hygiene.
The process of obtaining (and keeping) cybersecurity insurance may seem daunting, but it really does not differ much from other regulatory requirements or security best practices. Organizations should actively engage in the setup, maintenance and monitoring of a proper control environment, and collaborate with the right assessment provider to ensure ongoing compliance. RKL’s team of information systems experts has decades of experience helping organizations like yours vet cybersecurity insurance providers and successfully adhere to requirements and expectations. Contact your RKL advisor or use the form below to learn more or discuss your needs.