Cybersecurity insurance questionnaires—a way for the insurer to understand a prospect’s defenses—used to be brief.
Do you have AV? Do you have a firewall?
Just a few years ago, answering “yes” to those two questions put you pretty firmly on a path to getting cyber-covered, said Jason Rebholz, CISO at Corvus Insurance.
Now, with the costly stakes of ransomware and business email compromise (BEC), insurers need extra pages to confirm security controls. The longer questionnaires suggest that insurers want a deeper understanding of an organization’s defenses against attacks that could literally cost millions.
“If you’re in the higher end of the SMB market, certainly in the midmarket and in the larger organizations, you’re looking at a minimum of 25 to 50 detailed questions,” Rebholz told IT Brew.
Questions like, “How are your data backups protected and configured?” might be on the list, for example, along with “What vendor are you using for endpoint detection and response (EDR)?”
BEC and ransomware. A July 2022 report from IBM revealed two tough price tags. The average cost of a data breach, via business email compromise: $4.89 million. For ransomware (minus the ransom): $4.54 million.
“When you look at the largest costs for cyber insurance carriers in terms of security incidents: It’s ransomware and it’s business email compromise,” said Rebholz.
Let’s play Risk. Risk level, given the array of cyberthreats, is not agreed upon.
“Every insurance agency, every brokerage, they’re all asking different questions,” said Shawn Wiora, CEO of the risk-quantification provider Maxxsure.
To demonstrate varying priorities, a 2022 Panaseer survey of 400 global insurers revealed a range of “most important factors when assessing a security posture.” These were cloud security, security awareness, and application security, to name a few.
Read more here.—BH
Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.