Preparing for the Cyber Insurance Market

Steve Ramey


August 17, 2023

Cyber Insurance

In today’s complex cyberrisk environment, companies are increasingly vulnerable to attacks, but many still do not know how to obtain proper cyber insurance coverage. Understanding the process is essential for organizations that are exploring the market for the first time.  

Chief information security officers (CISO) and risk managers should be aware that the cyber insurance process is detailed. When quoting a policy, underwriters have a series of questions they will ask to extract specific data points to evaluate the organization’s cybersecurity program, including the cybersecurity strategy, types of critical information, access management, security operations and business resiliency. These data points help underwriters value and approximate risk should a cybersecurity event occur.  

Each insurance company has their own approach to evaluating risk, but the following are some of the basics on how underwriters view cybersecurity programs, as well as some sample questions they may ask during the application process:  

Strategy and governance. It is important to work with an experienced cybersecurity leader to establish the foundational elements of a good cybersecurity program. The program leader should set and demonstrate the program objectives, provide a roadmap for implementing and enhancing controls, and ensure the program meets defined objectives through training, testing and validation. To get started, answer the following questions: 

  1. Does a formal cybersecurity program exist and is it overseen by a proven leader? 
  2. Is there a defined strategy for the program? 
  3. What types of security policies exist, how are employees trained, and how often is the content refreshed? 

Critical information. Regulatory agencies around the world have established laws protecting certain types of information about individuals, financial information or the processing of certain data. Organizations seeking cyber policies should demonstrate understanding of the types of data and processes that are critical to their business. Companies should be able to answer the following questions: 

  1. What type of information does the company possess and how many records are collected, processed and stored? 
  2. Have security controls been implemented to align with applicable regulatory requirements safeguarding the information? 
  3. Does the organization safely and securely dispose of data and assets that are no longer needed? 

Access controls. Access to business data is critical for employees to provide services to their customers and drive revenue. IT programs should demonstrate the use of least privilege, role-based access controls (RBAC), and security controls, such as privileged access management (PAM) tools or multi-factor authentication (MFA), to protect privileged and non-privileged accounts.  Questions to evaluate proper access controls may include: 

  1. Which users require access to which systems and data to perform the duties of their job? 
  2. Are privileged accounts limited to only the minimum necessary administrative tasks required? 
  3. Is a PAM tool implemented to protect all privileged user and service accounts? 
  4. Do remote access technologies require MFA to further authenticate a user? 
  5. Is MFA enabled for all users on all systems (internal and external) that support it? 

Security operations. Understanding what to protect is essential to plan for how to protect those digital assets. Security controls are necessary to implement for detecting, alerting, mitigating and responding to potential security events throughout the network. Sample questions to evaluate security operations are: 

  1. Are the endpoints protected with next generation security tools like enterprise detection and response (EDR) software? 
  2. Are privileged accounts monitored for abnormal usage? 
  3. Is a security operations center monitoring the environment 24/7? 

Business resiliencyDevice or equipment failure, natural disasters, a disgruntled employee or a cyberattack can happen to any organization. While all those scenarios may not be covered by cyber insurance, organizations should have plans in place to continue business operations while their IT systems are disrupted. Additionally, IT teams should have plans (and options) to recover their IT systems from backups, swapping to a new data center or migrating to the cloud. Companies should also be prepared to answer the following questions about business continuity: 

  1. Does a business continuity and disaster recovery plan exist, have they been tested, and validated within the last year? 
  2. How fast can IT operations be recovered to continue business operations? Has this been tested and validated? 
  3. Has a backup strategy been implemented, and are backups segregated from the production network and administered with unique credentials? 

Qualifying for cyber insurance requires organizations not only to have a plan, but also to be able to demonstrate it. Preparation and maintenance are a key factor for reducing the success or disruption of a cyberattack, so underwriters want to see specific cybersecurity controls have been implemented and that the program is continually being improved year after year. Understanding the process can make it easier for organizations to obtain the coverage they need. 

Steve Ramey is vice president of cyber risk engineering at Sompo International.