How to choose cybersecurity insurance

by Redazione LineaEDP24/05/2022 Choosing the cybersecurity insurance company is a daunting and complex task. Here are four tips from Netskope to choose the most suitable policy and insurance company for your company

Nathan Smolenski, head of cyber intelligence strategy at Netskope Insurance companies are often struggling to assess their customers' risks when it comes to cybersecurity. Traditional policies use actuarial models based on ten-year historical data or, in some cases, even centenarians. These models allow them to predict risks and ensure coverage based on highly calculated premiums. Cyber risk insurance, on the other hand, represents a different challenge. In a context where threats are increasing and technology is constantly changing, traditional insurance models are facing a scenario that is not only complex, but also unpredictable. The complexity of cybersecurity risk policies When choosing an insurance company, companies must take into account a large amount of dynamic factors, each with its own risk profile. The cybersecurity insurance industry is overflowing with the most diverse types of cyber risk coverage and products. But if an insurance plan can protect a technology provider in the event of a service outage or product failure, it may not be able to cover an anomaly caused by other cyber events. Companies need to grasp this distinction and ensure they get the right cyber risk coverage, not forgetting technology errors and omission coverage. Only in this way is a real coverage guaranteed for product problems, whether they are caused by cyber events or not. As businesses navigate digital transformation, they need to include a cybersecurity strategy within their risk management program in order to insure against ransomware, data leaks, or other cyber attacks. The cyber insurance market is complex and far from clear. Contractors don't have to think about being fully covered thanks to add-ons or bundles of their general liability coverage. Often, in fact, these "add-ons" cover only certain types of incidents or refer to scenarios that do not have to do with the user's business activities. 4 tips on how to choose the best policy Given the complexity of cyber insurance, how can companies and security teams make sure they get the best coverage at the best price? Here are four winning moves. 1. Improve your "cyber hygiene" and evaluate your architecture Estimate your company's attack surface using attack surface analysis and assessment tools. Create a list of cyber risks that could be mitigated through patching, or the implementation of better configurations and other remediation tools. As companies transform rapidly and with the same speed adopt new technologies, they also need to evaluate their architectures from time to time. Implement adaptive, context-based trust models wherever data and resources reside, to eliminate implicit trust and limit the impact of a potential attack. Good cyber hygiene and a Zero Trust architecture will guide you in the right direction. 2. Understand the risks related to third parties In today's interconnected world, risks go far beyond traditional technological perimeters. A third-party risk management program is critical to understanding supply chain dangers and collect relevant signals that provide information to companies about their attack surface, security hygiene, insurance coverage, data protection and privacy strategies. It is necessary to carry out assessments on a regular basis of supply chain partners to ensure that the security and privacy measures put in place by suppliers are up to date, as well as to determine whether it is necessary to limit the amount of data that a supplier processes, or whether one of them needs to be replaced. In the process of evaluating suppliers, it is important not to forget about insurers. They are part of the value chain and are a catchy target for criminals. If hackers can compromise an insurance company, they are also able to access the data and coverage limits of its customers' policies. When carrying out the risk assessment of suppliers, it is necessary to thoroughly analyze the security hygene of the insurer, the governance, the strategies and controls adopted. 3. Choose your supplier carefully Many of the leading and traditional insurance companies still use manual, questionnaire-based approaches to measure a company's risks. These present-moment assessments are not effective for numerous reasons, including the fact that the person in charge of filling out the questionnaire often does not know the answers to the questions. Much of the innovation in this area comes from new and zealous players in the cyber insurance market, leveraging data-driven technologies. These pioneers can offer much more advice to companies, helping them reduce risks both before and during policy validity, as well as allowing them to customize policies to meet customers' needs. It is crucial that brokers and insurers understand their clients' business. Insurers need to ask questions, know in detail the activity of their customers and know what dangers must be covered in order for the policy to be suitable for the risk and response plan to attacks. 4. Implement automation, wherever possible To ensure the efficiency and effectiveness of the entire process, from monitoring the surface exposed to attacks, to partnerships with insurers, through to third-party risk management, use automation wherever possible. Ideally, a company should always be ready and collaborative in relation to its level of security and data on the risks posed by the supply chain. Technology can help companies achieve this by allowing them to automatically assess configurations and controls in a cloud environment, understand risks in a supply chain, and assess what an organization looks like from an attack surface perspective. Cybercriminals and ransomware will not disappear – attackers will continue to look for new ways to infiltrate and steal data, as well as to monetize their operations. But companies that change their perspective on cybersecurity, that move to technologies that allow them to constantly assess risks, and that rely on the right insurers, will be much better prepared to better protect themselves from worst-case scenarios.

by Nathan Smolenski, head of cyber intelligence strategy at Netskope