As businesses deal with the fallout of massive ransomware waves, from Lapsus$ to Cl0p/MOVEit, an unlikely new entity is joining the regulatory bodies to raise the bar for cybersecurity: the cyber insurer. Their coverage requirements and metrics-driven approach to risk put organizations not meeting cyber-hygiene basics on notice. Understand Your Cyber Insurer Cybersecurity risk has increased exponentially due to the changing and complex cyber-threat landscape, particularly ransomware attacks. Facing pressure from all sides, CISOs have the unenviable challenge of proving to their cyber insurer that their organization is properly set up to withstand cyber-risk. To make their case, CISOs must thoroughly understand cyber-insurance companies' role and key priorities. Insurance companies live and die by their ability to accurately quantify risk, and cybersecurity is no exception. Most organizations recognize their cybersecurity strategy must change, and cyber insurers that make decisions about coverage using advanced statistical methods play a pivotal role in determining what that change entails. This means it is more important than ever to get right with your cyber insurer. On the other hand, investing in those requirements means qualifying for cyber insurance will be easier and potentially less expensive at renewal. By working with brokers and underwriters, CISOs can build multiple scenarios corresponding to different cybersecurity investments. To get CFO and board buy-in, CISOs can use the cyber-insurance requirements as metrics to track security goals and correlate their risk register with their insurance premiums. It is a unique opportunity to attach dollar values to cyber investments and push for maximum ROI in clear and persuasive ways. Audit Before You're Audited The current state of cyber insurance offers some actionable opportunities for security decision-makers. First, don't underestimate the power of an accurate cyber-insurance self-assessment, which is how cyber insurers judge organizations during the auditing and claims processes. Creating and maintaining detailed records, building reporting systems, documenting all relevant business and security processes, and creating tamper-proof data for cyber forensics are all possible with sophisticated cybersecurity tools. The only change here is that CISOs now need to be able to make this cybersecurity posture visible to insurers. Finally, an ugly truth: Organizations are in competition with each other for coverage, and a CISO must be able to prove their organization's cyber maturity is better than the rest. Whether it is full compliance with NIST regulations, control over the software supply chain, or a board with a regimented, proactive plan for cyber events, CISOs should play to their organizations' strengths while being transparent about its vulnerabilities. It's vital to get clarity around which cyber-risk factors influence pricing the most and what areas of cyber defense need to improve. By transparently partnering with insurers and auditors, CISOs will be able to make accurate security investments while furthering their organizations' cyber resilience.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000