In my last post, I talked about the linkage between an application for business liability insurance our CFO asked me to complete and the SANS 20 Critical Security Controls.
This week, I wanted to dig a little deeper and get a better understanding of how the insurance provider would use the responses to the application to make decisions about insurability and cost, so I called Ryan Cox, Vice President and Risk Management Consultant with USI, and had an interesting conversation with him that I wanted to share with you.
According to Ryan, the insurance provider looks at several factors to determine 1) whether or not they’ll even offer coverage to your company, and if so, 2) what that coverage will cost your company for a given level of coverage. Two of those factors stood out for me as being key determinants.
First, they consider the level of business risk the company is facing: whether you’re in a high or low risk industry from a cybersecurity perspective. A few things drive that assessment. What type of data do you store and how much of it?
Fundamentally, they need to reach a determination as to how attractive you are to a potential hacker and how motivated that hacker might be to hack you!
For example, if you store a material amount of PII or HIPAA-protected data, that will impact the provider’s willingness to provide coverage. If you’re in the business of providing reloadable debit cards, you are a target. No surprise there!
Second, they need to assess how good a job you’re doing – or not doing – of protecting that data and responding to that cybersecurity risk. This is obviously where the responses to the questionnaire – and the SANS 20 – come into play. Have you implemented best practices from an IT security standpoint to protect your organization?
I’ve combined these two factors to create the 2×2 matrix you see here. If the insurance provider believes you represent a very attractive target and haven’t responded to that heightened level of risk with the appropriate security controls (top left corner), there’s a good chance they won’t provide you with insurance coverage or, if they do, the premium will be extremely high.
However, you may have a competitor who faces the same level of business risk, but has done a much better job of responding to that risk through appropriate security controls (top right corner). While their premium may be high relative to a company in the bottom right corner, it will be lower than yours and, perhaps more important, they will have access to insurance, where you do not.
I did ask Ryan to characterize the value of “strong security controls” vs. “weak security controls,” using the questionnaire as the yardstick for that measure – contrast the premium for a company in the top left vs. a company in the top right of the matrix.
He responded that, all things being equal, e.g. two companies in the same industry, same size, same amount of data, etc., the company with weak security controls could face a premium as much as 10x higher than the company with strong security controls!
I can’t speak for you, but no doubt I would get my CEO/CFO’s attention if I offered that as a measurable benefit associated with a proposed security investment!
So, the bottom line for the insurance company is this: are you managing your business security appropriately in light of the level of cyber risk your business faces? I hope the information Ryan and I have provided helps you show your stakeholders how security directly impacts your company’s bottom line, too!
- 20 Critical Security Controls: Control 15 – Controlled Access
- Control and Capabilities Drive Enterprise Security Confidence
- Security Configuration Management for Dummies
- SecureCheq Uncovers Critical Configuration Vulnerabilities
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock