Learn more about ISO 27001
Use this detailed comparison guide to see similarities and differences between ISO 9001 and ISO 27001.
.jpg?ext=.jpg)
How Confident Are You About Your Cyber Insurance Application?
There is a lot happening in the cyber security sector as we go into the fourth quarter of 2023. Attacks from malicious actors are on the rise and are increasing in scope. The aerospace and defense sectors are waiting for the final CMMC 2.0 rule and the release of NIST SP 800-171 r3. Zero trust is becoming a common term and concept in cyber. Amid all the economic and international issues, the topic of cyber security for a company can get lost in the shuffle. Unfortunately, that is the last thing companies need in these times of high risk.
Cyber Insurance Does Not Come Cheap
In February 2023, Fortune Magazine published an article about the rising costs of cyber insurance. The article notes,
As insurance companies grow more hesitant about risk, the average price for cyber insurance in the U.S. rose 79% in the second quarter of 2022, after more than doubling during each of the previous two quarters. At the same time, insurers are more carefully scrutinizing companies’ cyber practices, and excluding certain vulnerable technologies and attacks linked to war and conflict.
The direct business impacts:
- The risk is higher
- The cost for coverage is also exponentially higher
- The coverages are lower.
Now imagine paying those higher rates, but not getting the coverage needed when there has been breached.
How could that happen?
Errors and Omissions
This concept is not to be confused with “Errors & Omissions” insurance. When a company submits an application for cyber insurance, it is assumed that the insured information is accurate and truthful. If the application states a multi-factor authentication process is in place to help protect the company’s cyber ecosystem, it is assumed to be true.
The snag happens when a breach occurs and an insurance provider determines MFA was only on a limited number of computers or applications. This is considered a lie of omission. This contradiction signifies a risk was not disclosed to the insurance provider.
What can happen? Worst-case scenario: the insurance provider may decline part or all of a claim based on your omission of a material fact or non-compliance with a stated requirement of the policy. Additionally, the provider may revoke or rescind the client’s policy, essentially meaning the application was never even submitted nor approved. Lastly, the insurance provide may restrict the client from receiving any sort of coverage across the full line of business insurance products in the future. All of this can result in not having the critical coverage in a dire time of need.
CMMC Logic Applied to Cyber Insurance
Why was CMMC started – the short version. DoD contractors were expected to self-assess against the NIST SP 800-171 standard, enter the score into the SPRS system, and then maintain those standards. DIBCAC (Defense Industrial Base Cyber Assessment Center) conducted spot checks in year two of the above. The results were disappointing. Less than 25% of companies were found to have a score close to what they reported. About 75% were deemed unacceptable to the standard. From these poor results came CMMC 1.0, which required 3rd part assessments to validate the reported score. The CMMC 2.0 rule is expected to be published in 2024, with implementation to start in FY2025.
When a company files a cyber insurance application, it is a self-assessment. The insurance provider is not “double-checking” to make sure everything is filled out correctly. It is up to the company to self-assess, report to the best of their ability, and hope they have it right.
What value would one place on having an independent party verify and validate the application report was correct? What if an expert in cyber security came in and conducted a third-party assessment before the application is filed using an industry cybersecurity standard? This will cost money on the front end, but the direct benefit is the ability to demonstrate the organization is meeting the insurance provider’s standards. It may also provide a legally defensible position if the insurance provider claims a requirement was not met. Cyber insurance provider cyber application questions are based on one of either CIS or ISO 27001, and CIS is based on ISO 27001. In other words, a cybersecurity insurance client application is a good start to obtaining an ISO 27001 certification. The same is also possible for CMMC.
A professional auditor can assess where your company is and let you know how you can move forward in the most efficient and cost-effective manner.
If you are looking at cyber insurance, or if you have already applied and want to see a gap analysis for ISO 27001 or another standard, contact us today to discuss options that best meet your organization’s needs.