Cyber attacks -- from phishing attacks and ransomware to distributed denial-of-service attacks, viruses and other cyber incidents -- can seriously disrupt organizations and individuals alike. Attempting to prevent cyber attacks and mitigating the impact if they do occur are two major actions organizations and users can perform to alleviate damage. This is where cyber insurance and risk mitigation fit in.
First, though, it's essential to know when an attack is imminent or highly likely. But how? Determining an organization's vulnerability to cyber attacks is as important as preventing or mitigating them. Vulnerability management takes the basic task of determining where weaknesses exist and turns it into a structured program in which proactive investigations are made to identify potential attack vectors.
Perhaps the most important action to be taken in vulnerability management is penetration testing, which attempts to find holes in network perimeters and identify concerns, such as older security software releases that haven't been updated with the latest threat data. Patch management and vulnerability scanning are two complementary prevention efforts that should be performed as regularly as vulnerability management.
Think of vulnerability management as a cornerstone activity of an overall cybersecurity management program. Included in such a program are tasks such as access management, incident response, risk management, data protection, ensuring data privacy and data integrity, network perimeter protection, creation of policies and procedures, and testing and exercising activities.
These are all performed before a breach; another cornerstone is post-breach response and mitigation, in which cyber insurance can play a key role. Let's look at both cornerstones.
Standards and regulations
Vulnerability management and its corollary activities are addressed in several critical domestic and international standards and regulations, including the following:
Compliance with these standards and regulations is important from an audit perspective. The same is true when developing policies and procedures for vulnerability management and its complementary activities. IT organizations must ensure policies and procedures are in place and documented for these activities.
Vulnerability management programs
Vulnerability management is often part of a comprehensive cybersecurity program. Processes typically performed in such a program include vulnerability scanning (looking for potential access points), penetration testing (attempting to violate security prevention measures to detect weaknesses), patch management (updating applications and systems with vendor-supplied fixes) and remediation (post-event actions to prevent future occurrences).
Additional vulnerability management activities that may overlap with other cybersecurity programs include incident response, security awareness and training, exercising and testing, and risk assessments.
From a management perspective, vulnerability administrative tasks might include scheduling penetration tests and scans, installing and testing patches, vendor coordination, budget preparation, audit preparation and support, compliance support, policy and procedure development, and preparing documentation. Sometimes vulnerability management activities are linked with other security-related tasks. IT management must decide where vulnerability management fits in the overall IT leadership and operational hierarchies.
The role of cyber insurance in risk mitigation
Relatively new as compared to more traditional types of business and personal insurance, cyber insurance policies typically deal with the aftermath of a cyber attack, its effect on the business and/or individual, and how post-event issues are covered. Within a cybersecurity program, cyber insurance can and should be an integral component, based on how the organization handles insurance.
In advance of securing cyber insurance, risk mitigation experts within IT departments should identify the kinds of issues to cover and potential expenditures to address post-event initiatives. IT and possibly other departments -- e.g., corporate risk and/or insurance -- may need to address issues such as loss of reputation and competitive position, and the legal department may need to be consulted on potential litigation.
On the assumption that an organization is at risk of some sort of cyber attack -- and most are, despite many preventive measures -- cyber insurance can help organizations return to business by covering specific losses and liabilities. Among the potential losses are theft of information, payment of ransoms, loss of revenue, costs to recover lost data, costs to replace systems, restoration of employee identities, and a variety of lawsuits based on these and other events. Additional costs associated with forensic activities to determine the cause of the incident may need to be covered as well.
Cyber insurance is available from many insurance carriers. Prospective candidates for such policies must do a good deal of homework before even contacting a carrier. Research a cyber insurance buyer's guide if one is available. Recognize that first-party (directly affecting an organization or individual) and third-party (actions taken by business customers and others) coverage will probably be needed. Many different kinds are available, but consider coverage areas such as theft of data, theft of identity and data breaches to start. Business interruption insurance may be included as part of the cyber policy, although it may also be used for non-cyber incidents. Many other kinds of events can be covered; the key is to be sure that cyber insurance is indeed needed -- and for the right reasons.
Cyber insurance, risk mitigation -- the two should be seen as complements in your organization's overall cybersecurity policy. Be aware that cyber insurance may be coordinated elsewhere in the IT department or perhaps in a corporate insurance department. Regardless of how the insurance is implemented, it makes great sense in today's world of aggressive cyberbreaches.