Hmm… do you (CIO, CISO, IT director, director of information systems) have all the answers?
Not likely. You probably have some of the answers, but not all.
Information security is not just a job for IT, it’s a job for the entire company. Everyone has a part to play for the organization to be cyber secure.
Some of the questions the insurance carrier will ask are related to data owned by other departments. Your HR department is responsible for safely storing employee information (salary information, tax information [including SSN], and healthcare information). The finance department is responsible for making sure your vendor information, company bank information, investments, and other financial data are stored securely. If you have a software development team or you store customer data, your application development team is responsible for that data.
GRC is an acronym you want to remember if you don’t know it already. Governance, Risk, and Compliance is the team that is typically responsible for making sure you have a plan or framework in place to keep your information safe, secure, and available.
For a small company, the GRC team might be all the vice presidents or managers, for a larger company it could be a dedicated team, and for a Fortune 100 company, it’s a team that reports to the board.
As the CIO you will likely have to answer these questions, so in a perfect world you call your chief information security officer (CISO) to fill out the questionnaire. On that call, they let you know that because of the proactive steps they have taken below, you can expect to get the best possible quote:
Congratulations, you are #WINNING!
“But, wait,” you say, “I don’t have a CISO or a person in the CISO role. What do I do?”
Don’t panic; that’s understandable and not unusual.
Not everyone has an adaptive information security program with all the features listed above. I have talked with clients who are at the adaptive level (level 4 on a 1-4 scale), and I’ve talked with those that are risk informed (level 2) and organizations in between.
The list of security practices above can be hard for an organization to implement unless top level management has regulatory requirements (e.g., Sarbanes Oxley, GLBA, PCI-DSS, or other federal regulations) or the organization has experienced a data breach, ransomware attack, or an expensive cyber incident of some kind.
The goal of a good information security program and cyber insurance is to avoid these kinds of cybersecurity incidents:
What can you do if you do not have an adaptive information security program but you know you have risks and you want mitigate those risks as much as possible?
You need to know the basics of your environment, in other words, the who, what, when, where, and how of your information environment:
Who are you collecting data about? Your customers? Your employees? Random people who visit your website? Potential customers? Do you buy mailing lists?
What data do you collect? Personal data? Private data (social security numbers, credit cards, etc.)? Tracking information about your staff or customers?
When do you collect the data? When you make first contact? Every time you engage with them?
Where do you store that data and how?
Why are you storing that data and for how long?
How are you storing that data?
Consider this another way to think about what is important to a cyberinsurance provider. Moreover, I suggest you get some help with this process internally, and probably externally with a vendor partner. The vendor partner could be your auditors, or a company like CBTS that specializes in information security and helping companies set up a good InfoSec program. Contact our security team today to get your security program on the road to insurability.
Read more about Cyber Insurance from John Bruggeman:
More tools for your cybersecurity toolbox from CBTS Consulting CISO John Bruggeman: