Cyber insurance, also known as cybersecurity insurance or cyber risk insurance, is a type of insurance coverage designed to protect businesses and individuals from financial losses and liabilities associated with cyber threats and incidents. These threats can include data breaches, hardware attacks, ransomware attacks, denial of service attacks, and other forms of cybercrime.
Cyber Insurance Risk Framework
Cybersecurity insurance is essential for managing and mitigating cyber risk. The New York Cyber Insurance Risk Framework arrived just in time to provide a structured approach. Cybersecurity insurance minimizes business disruptions and helps cover financial costs associated with cyber incidents. By effectively pricing an organization’s cyber risks, it creates a financial incentive to improve security measures, which can lower insurance premiums.
New York Department of Financial Services (NYDFS) released its Cyber Insurance Risk Framework (CIRF), being the first state in the nation to do so. The framework came as a result of a rise in cyberattacks. With a example being the SolarWinds attack, whereby a Russian state-affiliated hacking group managed to infiltrate the computer systems of numerous US government agencies, including the US Treasury and Department of Commerce. With cybersecurity becoming increasingly necessary as cyberattacks proliferate, the cyber insurance market is expected to reach $20 billion by 2025, up from $3.15 billion in 2019.
Establish a Formal Cyber Insurance Risk Strategy
Insurers need to have a clearly delineated strategy for measuring cyber insurance risk. Both qualitatively, and quantitatively. Such a strategy should be directed and approved by senior management and the board. The strategy should include the following components:
- Manage and Eliminate Exposure to Silent Cyber Insurance Risk: Insurance carriers need to identify and evaluate their exposure to silent, or non-affirmative, cyber risks under non-cyber policies. Subsequently, reduce such exposure. Insurers can eliminate cyber risks by making clear, in any policy that could be subject to a cyber-related claim. Whether or not the policy provides, or excludes, coverage for cyber-related losses.
- Evaluate Systemic Risk: Systemic risks, like those caused by third-party vendors, can result in simultaneous losses for multiple insured parties. Insurers must conduct stress tests and model catastrophic cyber events. The SolarWinds attack is an example of a systemic risk that could damage many insureds simultaneously.
- Rigorously Measure Insured Risk: Insurers must develop a data-driven plan to assess the cyber risks of each insured. This includes evaluating governance, vulnerability management, access controls, incident response, and third-party risk management.
- Educate Insured and Insurance Producers: Insurers should educate policyholders and brokers about the importance of robust data privacy and security programs. Incentives, such as policy pricing and access to cybersecurity services, can drive improvements.
- Obtain Cyber Expertise: In order to evaluate cyber risks, insurers must have the appropriate level of expertise. Hence, this requires the recruitment of employees with cyber experience and skills (employees role in cybersecurity). Moreover, insurers should commit to training and developing personnel.
- Require Notice to Law Enforcement: Cybersecurity insurance policies should mandate that policyholders report attacks to law enforcement, which can aid in recovering stolen data and deterring future crimes.
The Growing Importance of Cybersecurity Insurance
As cyberattacks become more common and dangerous, cybersecurity insurance is more critical than ever. The New York Cyber Insurance Risk Framework sets a new standard for addressing the rapidly evolving cyber threat landscape.
Hardware attacks, for example, are extremely challenging to mitigate due to their extremely covert nature. Network Implants can evade existing cyber software solutions by sitting on the physical layer, and Spoofed Peripherals impersonate legitimate HIDs and are therefore not detected as harmful (Hacked Device). With this, cyber insurance is a necessary tool, and a framework will provide a coherent resource for insurers to refer to when creating their policies.
New York might be the first state to introduce such a framework, but it certainly will not be the last. Hopefully, this New York Cyber Insurance Risk Framework will be the start of a global push to introduce cyber insurance risk frameworks. But for now, to quote Frank Sinatra, “it’s up to you, New York”.
Sepio’s Endpoint and Network Cyber Security
Protect your organization with Sepio’s comprehensive asset visibility and real-time risk management. Detect and mitigate threats from malicious hardware devices across your network, including those connected via USB and network interfaces. With Sepio, you’ll have:
- Complete visibility of all connected assets, ensuring no device goes undetected.
- Hardware-based risk assessments to identify vulnerabilities and threats in real-time.
- Immediate blocking and control of risky assets, preventing security breaches before they happen.
- Customizable policies to manage USB and network interfaces effortlessly.
Secure your infrastructure with the most advanced endpoint and network cyber security solution. Schedule a demo and see how Sepio can safeguard your assets!