Information security management — Guidelines for cyberinsurance
7 Risk assessment supporting cyber-insurance underwriting
7.1 Overview
The process for creating a cyber-insurance policy, also referred to as the underwriting process, typically involves a number of preparatory activities to assist in determining whether to accept the insured’s cyber-risk and to determine an adequate price for the cyber-risk coverage. These activities include:
a) acquiring information about the insured’s cyber-security practices;
b) assessing the insured’s cyber-risks;
c) assessing the insured’s business risks;
d) determining the insured’s insurability; and
e) creating a cyber-insurance policy with the necessary price.
7.2 Information collection
An insurer identifies required data and information about the insured to assist in the cyber-underwriting process. Required insured data and information can include:
a) understanding of the mission and business;
b) identification of key stakeholders including customers and business partners;
c) information retained and processed;
d) details of information systems and any outsourcing arrangements;
e) details of the ISMS;
f) list and description of applied information security controls;
g) records of previous incidents; and h) additional assurance of the status of information security controls, such as audit reports and follow-up results.
Information being collected needs to be properly protected and delivered in an up-to-date and complete manner. An insurer can request regular updates of the information in a defined frequency.
An insurer can also collect additional information on the insured’s cyber-risk from third-party providers, such as a specialized risk assessment service provider. The depth of such information collection depends on the amount and extent of the desired insurance coverage, which typically relates to the size of the insured. An insurer can decide whether to share such additional information with the insured.
7.3 Cyber-risk assessment of the insured
7.3.1 General
An insurer assesses cyber-risks of the insured to assist in determining whether to accept the insured and to determine an adequate price for the desired coverage. The risk assessment can look at both the risk exposure of the insured and the status of in place information security controls.
7.3.2 Inherent cyber-risk assessment
An insurer generally determines a typical level of risk for the insured based on knowledge of industry sectors, sometimes known as the inherent risk exposure of the insured, taking into account the following example factors:
a) industry sector;
b) size of organization;
c) business activities;
d) extent and type of information stored and used;
e) dependency on externally managed or outsourced systems;
f) countries where business activities are performed; and
g) whether the insured is subject to regulation.
Industries which process highly sensitive information are generally considered to be subject to higher risk exposure.
7.3.3 Information security controls assessment
An insurer assesses the extent to which the insured has implemented information security controls to protect its information and assets, and the extent to which the inherent cyber-exposure is mitigated. An insurer assessment can consider technology, process and people, and can reference an established control set. For example, ISO/IEC 27002:2013 which includes:
a) Information security policies — define a set of policies to clarify the insured’s direction of, and support for, information security;
b) Organization of information security — define and allocate segregated roles and responsibilities for information security to avoid conflicts of interest and prevent inappropriate activities;
c) Human resource security — responsibilities taken into account when managing the lifecycle of employees, contractors and temporary staff;
d) Asset management — assets contained in an inventory, owners identified and accountable for asset security assigned; e) Access control — limit access to information and information processing facilities;
f) Cryptography — use of encryption, cryptographic authentication and integrity controls such as digital signatures and message authentication codes, and cryptographic key management;
g) Physical and environmental security — define physical perimeters and barriers, with physical entry controls and working procedures, to protect the premises, offices, rooms, delivery or loading areas against unauthorized access;
h) Operational security — procedures and responsibilities, protection from malware, backup, logging and monitoring, control of operational software, technical vulnerability management and information systems audit coordination;
i) Communications security — network security management and Information transfer;
j) System acquisition, development and maintenance — Security requirements of information systems, security in development and support processes and test information;
k) Supplier relationships — information security in supplier relationships and supplier service delivery management;
l) Information security incident management — management of information security incidents and improvements;
m) Information security aspects of business continuity management — information security continuity and redundancies; and
n) Compliance — compliance with legal and contractual requirements and information security reviews.
7.3.4 Review prior cyber-losses
Where substantial prior losses have occurred, an increased level of understanding is required as to the steps taken by the insured to reduce future losses. This review can include the insured’s financial condition (balance sheet, income statement and cash flow statement). The adoption of certain new information security controls or the strengthening of existing controls can be required to minimize future cyber-losses prior to an insurance decision being determined.
People also ask this Questions
- What are the aspects of coverage?
- What data are covered by cyber liability insurance?
- Are there any regional restrictions on the policy?
- How long after a breach occurs do you have to report it without losing coverage?
- What is cyber insurance?
- What is cyber risk?
Infocerts, 5B 306 Riverside Greens, Panvel, Raigad 410206 Maharashtra, India
Contact us – https://www.infocerts.com
