Our current cyber atmosphere is one wrought with fear. It seems we’re seeing a “hair on fire” or Y2K sort of pandemonium all over again. But why? The fear and hysteria is unwarranted.
Cyber security is not some extraterrestrial concept that no earthling could hope to understand. Cyber security is no different from standard business practices which place importance on the use of risk assessments of all kinds.
Do you recall applying for automobile insurance and your driving history being scrutinized? Or what about applying for medical insurance and having both your medical history and your family medical history reviewed? In both examples, the data evaluated helped the provider assess the risk that you presented at that moment. Insurers need to look at the risks that are present for their product and recognize the need to evaluate and prepare for these risks.
Why would it be any different for cyber insurance or cyber security in general? How do you check for cyber risks at your firm or evaluate an applicant for cyber insurance?
Do you jump right in and perform an invasive, ground-up assessment that leaves no stone unturned? Probably not. You would likely find this to be both time- and cost-prohibitive. On the other hand, a simple questionnaire or form would likely not provide the level of insight that you would need or want to accurately assess risk.
An easy starting point in quickly determining risk would be to evaluate for compliance with industry standards (HIPAA, NIST, ISO, etc.). There are various firms that provide this service, including Cyberfense. Cyberfense’s SaaS platform is designed for ease of use in determining compliance with many industry standards. They also provide the ability to quickly assess compliance within a vendor supply chain or evaluate other third party risks.
Simple questionnaires are meaningless if they are not measurable. Leading your cyber risk assessment program with a compliance check is a great starting point.