:sharpen(level=0):output(format=jpeg)/up/dt/2011/07/5644c9608b8bbe9e519e30607810a20b.jpg "Henry Schein Supports Brazil Flood Relief Efforts with Donations and Fundraising")
The role of IT in organizations is shaped by business needs and organizational strategy. To stay ahead, organizations must adapt to secure data and systems in alignment with the fast-paced evolution of technology. However, business leaders often prioritize functionality and efficiency without fully understanding the implications of security. As a result, they may rely on cybersecurity insurance as a fallback without fully realizing the potential risks involved.
Cybersecurity insurance is undergoing rapid changes. Traditionally seen as a safety net, it is now awakening business leaders with skyrocketing premiums. The stakes are high, with organizations facing warnings from the Joint Commission to plan for extended downtime following an attack, and a significant number of businesses going out of business after a breach. Underwriters are adjusting for risk accordingly.
To secure the most affordable policy and premium pricing, business leaders must ensure their cybersecurity processes and practices are in order. Several initial actions can be taken when considering a strategy for cybersecurity insurance:
1. Conduct a business impact analysis (BIA) involving senior leadership and representatives from various business units. This analysis helps understand the risks faced and quantifies the impact of different cyberattacks on the business’s resiliency.
2. Closely review cybersecurity insurance policies, as underwriters are adding stricter requirements and clauses. Compliance with these requirements is crucial, as businesses often find out after an attack that they didn’t satisfy the insurance company’s contract.
3. Consult with a broker to stay informed about new cybersecurity options and explore different approaches, such as a hybrid approach that divides the budget between commercial insurance and self-insurance.
4. Proactively implement a control environment aligned with industry standards to reduce premiums. Compliance with regulations, such as the Securities and Exchange Commission’s rules, is essential for regulated industries. Non-regulated industries should meet baseline standards like ISO 27001, NIST-CSF, SOC, HiTRUST, or PCI-DSS.
5. Conduct a security assessment with a third party regularly to identify unknown vulnerabilities. This assessment should be done before the insurance company’s own assessment, which often occurs during policy creation or renewal.
Cybersecurity insurance is a vital component of a holistic strategy to secure interconnected networks, devices, and applications. It goes beyond technology and should be viewed as a strategic necessity by organizations.
