The global cyber-risk insurance market has nearly tripled in size in just two years. While this sounds like a good thing for insurance companies, Chris Pace of Wallix UK explains that this might be a slippery slope if IT departments simply look at these insurance policies as a way to get off the hook. Pace explains that the “ideal form of cyber-risk management then is the correct balance between that transfer of risk to the insurance provider and an appropriate level of IT security measures, as implemented and managed by the in-house IT team.” However, he believes that often, these security measures are not being kept at a high enough level and as a result, the IT department runs the risk of invalidating the insurance policy.
In response, Pace has created a list of recommendations for IT departments to follow that may help in both working with their carriers and decreasing the risk of a cyber attack:
- Get involved in the decision-making process
- Make sure that you have a clear understanding about the limitations of your existing technology and how that may affect your cover
- Make sure that your regular and automated security activities (updates, patches, signatures, etc.) are working.
- Maximize your own visibility. If you suffer a breach, the insurance company will want to attribute the source and the more data you have the easier your job will be
- Know your access control weaknesses. Most cyber-insurance policies assume you have complete control and that you have visibility of every user who has access to your infrastructure