Before any company explores cyber insurance, the first step in this process involves conducting a thorough cyber and data security risk assessment.
Conducting a Risk Assessment
A risk assessment is a key component of a holistic, company-wide risk management process. Based on National Institute of Standards and Technology (NIST) standards , risk management processes include: 1. framing risk; 2. assessing risk; 3. responding to risk; and 4. monitoring risk.
When assessing the company’s data and security risks, some considerations:
1. What are the company’s most critical information assets?
Understand what sensitive information the company needs to protect and identify all of the company’s sensitive information, and data assets.
2. Identify threats to company data.
Where is the company’s sensitive data? Where is it going? How is it stored?
Who has access to the data?
How is the data protected? Is it encrypted while at rest and in transit?
What steps is the company taking to secure its network, computer systems, devices, email and data communications?
3. What are the company’s likely real-world cyber incidents and example cyber scenarios?
Determine the company’s potential and likely real-world cyber threats to sensitive information. Review examples of cyberattacks and data breaches that have happened to others in the company’s industry and turn them into a learning opportunity. Being informed by these risks and real-world examples offers the company ways to quantify its cyber risk, and furthermore, take steps to implement tighter security controls, policies and procedures.
4. How cyber resilient is the company?
Cyber resilience involves a change in mindset whereby you look to identify how secure the company needs to be in order to survive. Having an effective cyber resilient program in place will enable the company to continue even in the middle of a cyberattack.
Once these steps are completed, the company is ready to explore cyber insurance, and appropriately align cyber insurance coverages to its specific cyber and data security risks.