Cyber insurance coverage? Through the roof these days. Also, coverage is not that easy to get. The many breaches and the dollar judgements handed down make cyber insurance another costly operating investment. A mid-sized client of mine, as an example, pays $1 million in annual cyber insurance costs just to do business with its commercial and government customers.
The issue adds another twist to the topic of third-party risk. Typically, a corporation’s top tier of vendors has some form of cyber insurance. Such vendor coverage generally protects their customers from financial liability involving the breach of customer sensitive data such as Personal Identifiable Information (PII).
Breach incidents can also include disruptions, intellectual property exfiltration, and website defacements. Lately ransom threats where the hacker demands payment for not releasing data onto dark sites have escalated. For those vendor corporations handling customer data, ranging from sales histories to financial transactions, such vendor coverage is a must instead of an option.
Yet there are those smaller supplier companies which eschew cyber insurance either by choice or through lack of awareness. Estimates vary, but those smaller uninsured companies range from 28 to 41%, according to industry reports. Rising costs, coupled with the rigors of insurance requirements, ratchet down coverage as a priority.
This is the crux of an escalating vendor issue facing CISO’s today: which ones pose uninsured risks? Is it simply the smaller boutique vendor? Or does scope include second tier and third tier suppliers to main vendors as well? What precautions can be taken in advance to pre-empt lack of vendor coverage across tiers? These problems have been echoed by the CISO community now faced by increasing attacks channeled through third parties.
Here are three immediate mitigation steps CISO’s can take:
- Know vendors to the nth degree. Besides the standard inventory of cyber and IT suppliers, identify who are those who supply them. Do these secondary vendors have adequate coverage, and how about their subcontractors? This is not an easy task. But AT&T Cybersecurity offers vendor discovery tools, along with % risk levels, from partners such as NetSkope and BitSight. These tools help spare inter-vendor finger pointing and the “shock and surprise” in event of breach.
- Lock down contracts. There are any number of cyber insurance requirement clauses that can be added to new contracts in progress and ones for renewal. Here’s where the CISO finds Finance and Legal resources to be invaluable partners. Together they can determine if adequate vendor coverage exists for legal fees, breach recovery and cyber vandalism.
- Cyber hygiene vigilance. Third parties still pose the greatest threat of breach despite the best of plans. No one wants to in a position where they must execute on cyber insurance in the first place CISO’s can keep cyber fences “horse high” with basic defense mechanisms such as:
- Complex passwords
- VPN use
- Multi-factor Authentication (MFA)
- Sound firewall rules
- Strong anti-virus
- User security awareness
Within any of these intertwined areas of defense, AT&T Cybersecurity can be of assistance.
To summarize the complete evaluation of third-party risk must now include cyber insurance readiness as a factor. No CISO is an island here, and it becomes a protective opportunity rather than a headache once the right internal business partners are engaged.