The number of data breaches and the level of cyber-attacks are continuing to rise. According to Absolute Market Insights “it is estimated that over the next five years, cybercrime could potentially cost companies US$ 5.2 trillion every year.” In line with this growth, we are seeing an escalating interest in cyber liability insurance. Market.us recently found that the global cyber liability insurance market was valued at $5.5 billion US dollars in 2018 and is projected to increase significantly at a CAGR of 26.5% from 2019 to 2028.
The rationale for this growth is clear as cyber liability insurance helps cover the costs that businesses incur as a result of a data breach. Cyber criminals are continuously finding new vulnerabilities to attack. All businesses need to be aware that there is every possibility that they will become a victim of cyber-crime. Given this, taking out a cyber liability insurance policy will inevitably be at least a consideration for many businesses.
Managed service providers (MSPs) are likely to be especially attracted. After all, their strategic focus is on dealing with networks, both their own and those of their clients. Many MSPs buy cyber liability insurance for themselves. Many take on the role of a trusted consultant, advising clients to take out insurance. Many also represent the insurance companies as resellers. Whatever their precise role, however, the in-depth knowledge these MSPs typically have of their clients’ network infrastructure coupled with their understanding of the cyber security market allows them to pinpoint the bigger threats.
For many such companies taking out cyber liability insurance will be the right decision and will bring greater financial security. However, MSPs must take precautions to ensure that their cyber liability insurance and that of their clients stands up to scrutiny. Otherwise, their investment might be in vain.
Assessing the Challenge
The first consideration typically is what are you doing to protect your network environment to prevent the breach from happening? After all, no business wants to have to file an insurance claim. They don’t want a breach to occur. It is the job of the MSP to manage their network for them, monitor it regularly and ensure that it is always ‘locked down’.
The next challenge relates to exclusions. Cyber liability insurance policies typically require the insured organisation to exercise due care in their exercise of day-to-day security procedures. That can be an amorphous term. If businesses don’t adhere to one specific condition, for example, the insurer might not pay out.
In dealing with the challenge of cyber liability insurance for their clients, MSPs often adopt a manual paper-based approach, sitting down with the client to fill in that five-page fifty question application and hope that if there was an issue that they were covered. This can be a time-consuming and error-prone process.
Finding a Solution
The above scenario explains why a new approach to cyber liability insurance claims is needed. Such an approach is emerging in the shape of a methodology called “compliance process automation.” This is a more efficient, accurate way of ensuring cyber insurance compliance than the manual approach described in the previous section. Specifically, it makes it easier for the MSP and their business clients to navigate.
Typically, there is a lot of overlap between cyber liability insurance policies. There might be between 50-70 questions per policy. Of these, 30-40 questions might, for example, be included in every policy, with each policy also including 10-20 questions unique to it alone. The system can be tailored so that if the business is shopping around for cyber liability insurance for the first time, all the questions can be included but if it is already using a specific insurance product, it is just presented with the questions relevant to that policy.
Moreover, network scanners and automated processes can be used to review the client’s architecture and ensure the correct answers are provided to technical questions about the client’s capability. If the form asks whether the business regularly patches and updates its software, for example, the answer may be ‘yes’ on the application form but how can the client prove this? Compliance process automation provides the answer. Using this approach, the relevant software scans the network, reviewing every connected application and the last time they were patched and updated to produce an exclusion report if they are not current or out-of-date. This both helps prevent security breaches by alerting the business and the MSP to vulnerabilities, and documents evidence of compliance to verify claims.
With other questions: such as do you carry out background checks on all your employees, the answer may be given manually but the system then automatically prompts the user for the additional information required, such as uploading an example of the background check form used or asking for the name of the provider to be included.
It is important to highlight here that the compliance process automation approach is not to be used on an ad hoc basis. Networks and IT infrastructures are continuously evolving. Patch software that was compliant in March may no longer be in April. Network scanning and information updating must be regular and continuous and that is what this approach delivers. It is also important that it provides ease of use to further drive productivity, ensuring for example, that both the MSP and the end customer can access it and upload information directly into the system when required.
MSPs today are increasingly worried about security breaches. They are conscious of the significant losses that these breaches and cyber attacks can bring. They are therefore very receptive to cyber liability insurance but should tread carefully to avoid potential pitfalls for themselves and their clients. That’s why compliance process automation is increasingly an approach whose time has come.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.