Security breaches have become one of IT organizations’ biggest headaches, and the pain just keeps getting worse. The average cost of a data breach last year reached $3.86 million, up 6.4 percent from the year before, according to a study by IBM and the Ponemon Institute.
In the face of the rising threat, it’s no surprise that companies are very receptive to cyber liability insurance. Market.us recently found that the global cyber liability insurance market was valued at $5.5 billion US dollars in 2018 and is expected to grow at a CAGR of 26.5 percent from 2019 to 2028.
The soaring demand for cyber liability insurance is understandable, as it helps cover the costs that businesses incur as a result of a data breach. As all businesses come to grips with the fact that there is every possibility that they will be victimized by cybercrime, taking out an insurance policy is a smart move to consider.
However, it is essential that they take precautions to ensure that their cyber liability insurance and that of their clients stands up to scrutiny. Otherwise, their investment might be in vain. Security breaches are bad enough; no company wants a second surprise when they discover that their insurance claim has been denied.
The messy process of assessing the challenge
As the first consideration, organizations must evaluate what they’re doing to protect the network environment to prevent the breach from happening in the first place. After all, no business wants to have to file an insurance claim. They don’t want a breach to occur. It is the job of the IT organization to manage their network for them, monitor it regularly, and ensure that it is always “locked down.”
The next challenge relates to exclusions. Cyber liability insurance policies typically require the insured organization to exercise due care in their exercise of day-to-day security procedures. That can be an amorphous term. If businesses don’t adhere to one specific condition, for example, the insurer might not pay out.
In dealing with the exclusion challenge, organizations often adopt a manual paper-based approach, sitting down with the relevant teams to fill out a long application and then cross their fingers that if an issue arises, they’re covered. This can be not only time-consuming but also an error-prone process.
Finding a solution
The above scenario explains why a new approach to cyber liability insurance claims is needed. Such an approach is emerging in the shape of a methodology called “compliance process automation.” This is a more efficient, accurate way of ensuring cyber insurance compliance than manual approaches.
Typically, there is a lot of overlap between cyber liability insurance policies. There might be between 50 to 70 questions per policy. Of these, 30 to 40 questions might, for example, be included in every policy, with each policy also including 10 to 20 questions unique to it alone. The system can be tailored so that if the business is shopping around for cyber liability insurance for the first time, all the questions can be included but if it is already using a specific insurance product, the company is just presented with the questions relevant to that policy.
Moreover, network scanners and automated processes can be used to review the company’s architecture and ensure the correct answers are provided to technical questions about the client’s capability. If the form asks whether the business regularly patches and updates its software, for example, the answer may be “yes” on the application form, but how can the client prove this?
Compliance process automation provides the answer. Using this approach, the relevant software scans the network, reviewing every connected application and the last time they were patched and updated to produce an exclusion report if they are not current or out-of-date. This both helps prevent security breaches by alerting the business to vulnerabilities, and documents evidence of compliance to verify claims.
With other questions -- such as "do you carry out background checks on all your employees" -- the answer may be given manually but the system then automatically prompts the user for the additional information required, such as uploading an example of the background check form used or asking for the name of the provider to be included.
It is important to highlight here that the compliance process automation approach is not to be used on an ad hoc basis. Networks and IT infrastructures are continuously evolving. Patch software that was compliant in March may no longer be in April. Network scanning and information updating must be regular and continuous and that is what this approach delivers.
It is also important that compliance process automation provides ease of use to further drive productivity, ensuring for example, that organizations can access it and upload information directly into the system when required.
Cyber liability insurance makes a great deal of sense in today’s scary environment, but organizations need to understand the fine print. That’s why compliance process automation is increasingly an approach whose time has come.