Cybersecurity insurance is a direct product of a growing dependence on digital data. Enterprises are investing more in their data gathering and analytics to drive competitive advantage, so it's only logical that cybersecurity would be a top priority for IT-driven organizations.
However, those who insure cybersecurity are not convinced enterprises are doing enough to protect their digital assets. A recent study from CSO outlines some major changes coming to cybersecurity insurance in 2016. These changes will likely have a large impact in the coming year, and enterprises must take steps to best stay ahead of the cybersecurity curve.
The Winds of Change
So, which changes are likely to affect your stance with your insurance company? First and foremost, the CSO study found that insurance providers will be more likely to refuse payouts for breaches in environments with ineffective security practices. Additionally, payouts will be modeled in a more realistic manner.
The following four factors will represent the foundation of these new actuarial models:
- Market cap
- Targeting profile
- Risk profile
Providers will also go in-depth on a per-customer basis to develop a policy tailored to each specific environment. These will include additional factors such as company culture, data valuation, and even audits on employee security practices.
Ultimately, insurance providers just want policyholders to take cybersecurity more seriously. For modern enterprises, this means implementing verifiable countermeasures to combat the growing risk of cyberattacks.
Know Where You Stand
In an effort to ensure compliance with new cybersecurity insurance standards, enterprises should take actionable steps to implement both proactive and reactive strategies. The first step in this process involves taking a long look at current security practices in contrast to priority targets.
This audit should reveal two important items: your company's most critical-and likely most targeted-digital assets and the security measures that cover them. To ensure reactive capabilities, physical and digital gateways to critical data should be constantly monitored by verifiable services or third-party vendors.
With new vulnerabilities emerging regularly, a solely reactive strategy is insufficient. Taking a proactive stance toward cybersecurity is equally important. This is doubly true now that insurance providers will be taking a peek at this aspect of a policyholder's security culture. Proactive measures include threat modeling, penetration testing, and effective employee training. In short, companies can't simply wait for an attack; they must implement solutions that are constantly on the hunt for potential vulnerabilities.
When all is said and done, the changes made by providers will continue to drive up cybersecurity insurance costs. As such, getting the best rate becomes more of a priority. By implementing both proactive and reactive security strategies, enterprises put themselves in a better position to not only keep that cost down, but also provide more comprehensive protection of their critical data.
Photo source: Flickr
Category: RSA Fundamentals
Keywords: Cybersecurity, Insurance