In today’s hyper-connected world, it is hard to imagine a business that doesn’t rely in whole or in part on the usage of electronic communications and systems to meet critical business processes. The systems themselves are crucial, but the information contained therein is actually the most important resource. Data is quickly becoming the most valuable resource on Earth and the ability to secure that data has become a business priority. Organizations that know how to collect, process and analyze information to gain actionable insights are able to outperform the competition and deliver tremendous value to the market.
In assessing market trends, we see cyber attacks increasing in velocity, magnitude and complexity. The real consequences of these attacks are becoming more and more impactful as well. We’ve seen data breaches resulting in significant financial and reputation losses. We’ve seen entire healthcare systems hindered from doing business for hours or days. We’ve even seen a major oil pipeline completely shut down for days.
Challenges With the Current Approach To Cybersecurity
Cybersecurity is a subset of Information Security, in which the practitioner focuses on protecting digital information and the systems that process and transmit it. The challenge with this is two fold.
First, it sets your goal as attainment of validated conformance to a security compliance framework such as a SOC2 Report, a PCI/DSS Attestation of Compliance or an ISO 27001 certificate. While this approach has the benefit of a clear finish line against a prescriptive standard, it can cause unnecessary complexity in the long term as the business needs grow and new security compliance frameworks are pursued.
Secondly, this approach often forces an organization to assess each framework independently from one another. This cycle can lead to audit burnout, ineffective controls and contribute to security compliance feeling more like an obstacle than a business enabler.
A Better Way To Approach Cybersecurity
A more effective, and our recommended, approach to cybersecurity is to integrate cybersecurity activities firmly into organizational risk management. When approached as part of the organizational risk management, cybersecurity controls can be addressed in a more holistic way that better aligns with business objectives and the culture of the organization.
Controls from various frameworks can be tailored to better meet the organization’s needs and, instead of “checkbox compliance,” we can tell a more cohesive story around how our enterprise cybersecurity program positions us for compliance with the applicable frameworks. It becomes easier to justify compensating and alternative controls when it can be demonstrated that the risks have been analyzed against the organization’s operational environment.
The Origins of Cybersecurity Insurance
According to the National Association of Insurance Commissioners (NAIC), Insurance is “an economic device transferring risk from an individual to a company and reducing the uncertainty of risk via pooling.” NAIC has been active in America since 1871, but historically insurance has been in use for centuries throughout civilizations spanning the entire world. Insurance has always been a mechanism for transferring risk from an individual or organization to a larger group and is particularly useful in cases such as cybersecurity and natural disasters that can be catastrophic, unpredictable and indiscriminate.
It is logical then, that Insurers would offer Insurance for cyber attacks and that organizations would look to transfer their risk through the usage of insurance. When a business conducts risk management activities threats can be handled in one of several ways:
- Risk Acceptance
- Risk Avoidance
- Risk Mitigation
- Risk Sharing or Transference
The goal of any risk management program is always to reduce residual risk within the Organization’s risk appetite. Cybersecurity Insurance allows organizations to transfer residual risks of a cyber attack to an insurer to minimize losses.
Applying Risk Management to Cybersecurity Insurance
Understanding Organizational Risk Appetite
Without a clear understanding of the organization’s risk appetite it is hard to effectively execute on risk management activities. In order for risk appetite to be effective, it must be aligned closely with business objectives and desired outcomes. We recommend that risk management activities be carried out in close alignment with business strategy. This is an area that many organizations struggle with but its importance can not be overstated.
Understanding Threats to the Organization
Another vital step that organizations frequently struggle with is understanding the threats to their organization, its business operations, and the critical data in use throughout the business. Risks must be tied to a threat. In today’s cybersecurity environment, the number of threat actors paired with the complexity and quantity of potential attacks can make it hard for overworked teams to understand which threats are most likely to impact their organization.
Quantifying Risk and Determining Which Risks to Transfer
Once an organization is able to effectively understand key business objectives, assess the unique threats that could impact those objectives and determine their risk appetite, they are left with the challenge of quantifying the potential impact and likelihood of occurrence.
These activities will drive the selection and deployment of security controls to mitigate the risk. When the risk is greater than your organization’s tolerance, you may be stuck deciding whether to accept the risk, avoid the risk (by choosing to not engage in the activity that exposes the risk) or transfer the risk. For critical business operations with high levels of residual risk, it is often the best choice to transfer the risk. These are the risks that make sense to spend on Cybersecurity Insurance.
Cyber Insurance Programs
Reciprocity® ZenGRC Platform enables you to take a program-centric risk management approach to cybersecurity. This empowers you to walk through the entire risk management lifecycle in close alignment with business objectives, framing risks in terms that your leadership can understand in direct relation to desired business outcomes.
Reciprocity helps you align risk management to many industry standard security, compliance and privacy frameworks including AICPA SOC2 (SSAE 18), ISO 27001, NIST 800-53, PCI DSS and more. Today we are happy to announce that the Secure Controls Framework Insurability (SCF-I) Framework and The Coalition cyber insurability profile are available to conduct an assessment against.
The SCF-I Framework helps an organization consider the applicable risks, threats and controls that can help an organization maximize their insurability. The Coalition cyber insurability profile is a quick assessment used by Coalition insurance in determining cyber risk and making a decision on insurability.
Why not take these new frameworks for a test drive today and better understand the factors assessing your organization’s insurability? Sign up for our FREE trial ZenGRC. No credit card required, unlimited time to explore. Or register for a FREE live demo to see ZenGRC in action.