Cyber Insurance, part 3: Filling out the questionnaire

January 4, 2022
John Bruggeman
Consulting CISO
Follow

We are on to Part 3 of our Cyber Insurance series. You have read parts one and two, you know you need it, and you have an idea what questions are going to be asked. Now you need to answer them.

Man on computer filling cyber insurance questionnaire
Answers for a cyber insurance questionnaire could be found from teams across the organization. Everyone has a part to play for the organization to be cyber secure.

Hmm… do you (CIO, CISO, IT director, director of information systems) have all the answers?

Not likely. You probably have some of the answers, but not all.

Information security is not just a job for IT, it’s a job for the entire company. Everyone has a part to play for the organization to be cyber secure.

Read more: Top 5 cybersecurity actions to take right now

Some of the questions the insurance carrier will ask are related to data owned by other departments. Your HR department is responsible for safely storing employee information (salary information, tax information [including SSN], and healthcare information). The finance department is responsible for making sure your vendor information, company bank information, investments, and other financial data are stored securely. If you have a software development team or you store customer data, your application development team is responsible for that data.

GRC is an acronym you want to remember if you don’t know it already. Governance, Risk, and Compliance is the team that is typically responsible for making sure you have a plan or framework in place to keep your information safe, secure, and available.

For a small company, the GRC team might be all the vice presidents or managers, for a larger company it could be a dedicated team, and for a Fortune 100 company, it’s a team that reports to the board.

As the CIO you will likely have to answer these questions, so in a perfect world you call your chief information security officer (CISO) to fill out the questionnaire. On that call, they let you know that because of the proactive steps they have taken below, you can expect to get the best possible quote:

  • Micro-segmentation of the network.
  • NGFW at the perimeter.
  • XDR on all the end points with 24×7 monitoring.
  • SIEM tool implementation.
  • Monthly vulnerability assessments and remediation.
  • MFA implementation for e-mail, VPN, and network access.
  • A third-party security program assessment of your information security program, which is based on the NIST Cyber Security Framework.
  • Adaptive information security and awareness training.
  • Data governance and risk assessment protocols, policies, and procedures.

Congratulations, you are #WINNING!

“But, wait,” you say, “I don’t have a CISO or a person in the CISO role. What do I do?”

Don’t panic; that’s understandable and not unusual.

Not everyone has an adaptive information security program with all the features listed above. I have talked with clients who are at the adaptive level (level 4 on a 1-4 scale), and I’ve talked with those that are risk informed (level 2) and organizations in between.

The list of security practices above can be hard for an organization to implement unless top level management has regulatory requirements (e.g., Sarbanes Oxley, GLBA, PCI-DSS, or other federal regulations) or the organization has experienced a data breach, ransomware attack, or an expensive cyber incident of some kind.

Read more: The basics of Incident Response Planning: how do you do it?

The goal of a good information security program and cyber insurance is to avoid these kinds of cybersecurity incidents:

  • Accidental disclosure or data breach of sensitive or PII type information.
  • Ransomware attack that cripples your organization.
  • Business e-mail compromise (BEC) that causes financial loss.
  • E-mail fraud (fake invoices or similar).
  • Malicious insider threat or other cyber incident.

What can you do if you do not have an adaptive information security program but you know you have risks and you want mitigate those risks as much as possible?

You need to know the basics of your environment, in other words, the who, what, when, where, and how of your information environment:

Who are you collecting data about? Your customers? Your employees? Random people who visit your website? Potential customers? Do you buy mailing lists?

What data do you collect? Personal data? Private data (social security numbers, credit cards, etc.)? Tracking information about your staff or customers?

When do you collect the data? When you make first contact? Every time you engage with them?

Where do you store that data and how?

Why are you storing that data and for how long?

How are you storing that data?

Consider this another way to think about what is important to a cyberinsurance provider. Moreover, I suggest you get some help with this process internally, and probably externally with a vendor partner. The vendor partner could be your auditors, or a company like CBTS that specializes in information security and helping companies set up a good InfoSec program. Contact our security team today to get your security program on the road to insurability.

Read more about Cyber Insurance from John Bruggeman:

Part 1: What is Cyber Insurance and Do I need it?

Part 2: Cyber Insurance, part 2: Getting ready for the insurance company questionnaire!

Part 4: What do you do if your cybersecurity insurance policy is denied?

More tools for your cybersecurity toolbox from CBTS Consulting CISO John Bruggeman:

Getting ransomware-proof, continued: CIS controls for medium-size organizations

Improve your cybersecurity defense with centralized logging

Improve your cybersecurity defense with centralized logging, continued: A deeper dive!

Zero Trust Networks (ZTN): what are they and how do I implement one?

Subscribe to our blog