10

must-have

components in your disaster recovery plan

Read this if you are an IT director, information security officer, compliance officer, risk manager, or organizational leader interested in enhancing resilience and robust continuity strategies.

Disaster Recovery (DR) involves processes and strategies to promptly restore critical business functions and IT systems following disruptive events like natural disasters, cyberattacks, hardware failures, or pandemics. The DRP is designed to restore operability at an alternative site after a declared disaster while minimizing downtime and data loss to resume normal operations.

The DR team, responsible for DRP planning, implementation, and management, is charged with minimizing the impact of a disaster on the organization and expediting the recovery of critical business functions. Assembling a team with both operational and technical perspectives is crucial.

Defining a clear chain of command is also important to specify when the DR team can make decisions, ensuring effective delegation of authority and control during a disaster. The DR team lead should initiate the plan after consulting team members and assessing the situation.

Key roles on a DR team include:

• Team lead: Oversees the entire DR planning and execution process. Responsible for coordinating activities and ensuring the DRP is up to date.
• Technology lead: Manages the IT infrastructure recovery process, including data backup and restoration, system recovery, and network restoration.
• Security lead: Manages the security aspects of the recovery process, including protecting sensitive information and ensuring that security measures are in place during the recovery process.
• Communications lead: Manages communication during and after a disaster, both internally and externally. Ensures that all relevant stakeholders are informed about the situation and communication channels are established.
• Human resources lead: Manages the human aspect of disaster recovery, including employee safety, relocation, and communication of HR policies during the recovery process.
• Legal/compliance representative: Makes sure that the recovery process adheres to legal and regulatory requirements, including data protection and privacy regulations.
• Facilities coordinator: Coordinates the recovery of physical facilities and sources alternative workspaces if the primary location is compromised. 
• Vendor/supplier coordinator: Coordinates with external vendors and suppliers to make available necessary resources and services during the recovery process.

Disaster Recovery Plans: Conclusion

To create an effective DRP aligned with the organization's needs and risks, it is crucial for the DR team to encompass representatives from various departments. Regular training, testing, and updating of the plan are essential for maintaining preparedness and effectiveness in addressing potential disasters.

Read this if you are an IT director, information security officer, compliance officer, risk manager, or an organizational leader interested in enhancing resilience and robust continuity strategies.

In today’s business environment, the ability to navigate and recover from unexpected disruptions is crucial. Whether facing cyberattacks, health crises, or even natural disasters, the faster your organization can resume operations, the better. To enhance organizational resilience, it is important to distinguish between business continuity (BC), disaster recovery (DR), and incident response (IR). This short article outlines the distinct roles of BC, DR, and IR, emphasizing their contributions to resilience and offering insights for developing strategies to address disruptions effectively.

What is business continuity?

Business continuity is focused on sustaining an organization's mission and essential business processes during and after a disruption. For many organizations, this includes critical functions, such as payroll or customer service.

A business continuity plan (BCP) can be customized for a single unit or the entire organization, emphasizing specific functions. The BCP's objective is to help ensure the uninterrupted operation or timely restoration of critical business processes, regardless of the disruption's nature, whether it be IT-related or if it affects other aspects of the business.

BCP components include:

• Identifying potential risks and threats and assessing their impact on critical processes, as well as prioritizing functions based on criticality
• Developing strategies to mitigate disruption impacts on critical functions and exploring alternative approaches to conducting business
• Outlining procedures for immediate threats or emergencies, providing contact details for key personnel and emergency services, and specifying evacuation plans and safety protocols
• Establishing guidelines for internal and external communication during disruptions and protocols for keeping employees, customers, and stakeholders informed
• Describing the recovery and restoration of IT systems and data (refer to the disaster recovery section below), including backup and recovery procedures, and defining the roles of IT personnel during disruptions

What is disaster recovery?

Disaster recovery addresses significant disruptions that deny access to the primary IT infrastructure for an extended period. Examples of disasters include natural disasters, terrorist attacks, cybersecurity incidents, power outages, network failures, pandemics, etc.

A disaster recovery plan (DRP) is a targeted strategy to restore operability to the IT infrastructure following a disaster. It complements a BCP by recovering supporting systems for essential business processes. The DRP’s objective is to minimize downtime and data loss by restoring IT systems, applications, and data in a timely manner to resume normal operations.

DRP components include:

• Identifying risks and threats to IT systems and data and assessing their impact on critical functions.
• Establishing recovery time objectives (RTO) and recovery point objectives (RPO) for critical systems and prioritizing each based on criticality.
• Implementing procedures for regular data backups, selecting appropriate methods, and working to ensure off-site storage for data redundancy
• Providing detailed recovery instructions for IT systems and applications, with designated personnel responsible for execution
• Conducting regular testing through simulation exercises, evaluating DRP effectiveness, and adjusting as necessary

What is incident response?

Incident response manages and mitigates the impact of security incidents, such as ransomware attacks or data breaches. Its goal is to detect, respond to, and recover from incidents promptly to minimize damage and protect sensitive information. 

An incident response plan (IRP) outlines procedures for addressing cybersecurity attacks, helping to identify, mitigate, and recover from incidents like unauthorized access or denial of service. The IRP is often included as an appendix to the BCP and DRP.

IRP components include:

• Identifying covered incident types
• Establishing an incident response team with roles, responsibilities, and key personnel contacts
• Setting criteria for classifying incidents by severity and impact, defining severity levels and corresponding response actions
• Outlining immediate steps upon incident detection, activating the response team, and initiating preliminary assessments
• Establishing procedures for post-incident reviews, documenting lessons learned, and recommending improvements to the IRP

Conclusion

BC, DR, and IR are each crucial for organizational resilience against unexpected disruptions. BC works to ensure sustained critical business functions, DR restores IT systems post-disaster, and IR manages security incidents. The synergy of these three components forms a comprehensive strategy, empowering organizations to navigate disruptions effectively.

For more information on organizational resilience or if you have questions about your specific situation, please don’t hesitate to contact our cybersecurity consulting team. We’re here to help.

Read this if you are involved in cybersecurity at your organization.

The cyber threat landscape is growing

Over the years, the cyber threat landscape has experienced a steady increase in cyberattacks, with more data breaches, targeted social engineering attacks, and crippling ransomware attacks taking place. The increase in cyberattacks is affecting all industries, including government supply chain vendors, higher education and research institutions, and many others. 

The US government is particularly aware of the risks involved with the increase in cyberattacks and understands it must continue to strengthen its cybersecurity program to protect intellectual property and national security. This means not only strengthening cybersecurity controls and processes for the government, but also for contractors who work directly and indirectly with the government. In this case, “contractors” include businesses that enter into contracts with the US government and any supplier, distributor, vendor, or firm that provides products or services to contractors and other subcontractors. 

What is the Cybersecurity Maturity Model Certification (CMMC) framework?

The CMMC framework provides a foundation for establishing a strong cybersecurity program to effectively manage cyber threats. The framework was developed by the Department of Defense (DoD) and is designed to help ensure that cybersecurity controls and processes adequately protect sensitive information that is shared among entities across various industries. Broadly speaking, contractors and subcontractors that work with the DoD will be required to comply with CMMC guidelines. 

Prior to the enforcement of CMMC, contractors were responsible for implementing and monitoring their own cybersecurity controls and processes and could self-attest to their level of security. In other words, the DoD did not audit or verify the level of security maintained by contractors. But now with cyber criminals frequently targeting the weakest link in supply chains, the DoD has responded by moving to a trust-but-verify approach, meaning organizations working with the DoD may be required to have a third party (also called a C3PAO) assess cybersecurity controls and processes and verify CMMC compliance. 

CMMC industry standards and cybersecurity best practices

Although the framework is evolving and requirements are still being finalized, CMMC currently mandates NIST 800-171 compliance and adds additional requirements coming from other cybersecurity frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), Center for Internet Security (CIS) Controls, and the Computer Emergency Response Team (CERT) Resilience Management Model (RMM). CMMC uses these industry standards and cybersecurity best practices to establish a benchmark against which assessors can measure an organization’s cybersecurity posture. Following the assessment, the organization will better understand the maturity of their controls and processes and where gaps may exist. 

CMMC compliance benefits beyond the DoD

CMMC compliance will soon become a prerequisite for DoD contract awards and is expected to impact over 300,000 contractors and subcontractors. The purpose of CMMC is to provide a uniform set of security standards that every contractor working with the DoD must use to protect sensitive information. Without compliance, organizations could be excluded from bidding on DoD contracts. By 2025, every organization doing business with the DoD must be CMMC compliant, including those entities conducting research using federal grant funds. 

Outside of helping companies with DoD contract prerequisites, CMMC compliance is important for several other reasons. First, the framework helps ensure that organizations have implemented the proper controls and processes to protect themselves from cyber threats. It also helps ensure compliance with other laws and regulations. Additionally, by following the CMMC set of standards and best practices, organizations can maintain a high trust relationship with partners and customers. 

Who should be CMMC compliant?

All contractors and subcontractors that work with the DoD should be CMMC certified. The required maturity level will depend on the DoD contract and the sensitivity of information the organization receives or uses. Today, only organizations that directly provide products and services to the DoD, known as prime contractors, must meet NIST 800-171 and additional requirements of CMMC compliance. Prime contractors must also verify that subcontractors further down the supply chain also meet requirements. By 2025, CMMC compliance obligations will extend to all organizations bidding on defense contracts. At that point, all organizations working with the DoD, no matter what service or services they provide, will need at least Level 1 CMMC compliance to win or maintain a DoD contract (more information on maturity levels below). 

If an organization is planning to contract with the DoD, they should plan to be CMMC certified and should preemptively attain Level 1 CMMC compliance. Again, the maturity level required by an organization will be stipulated on a case-by-case basis in the contract. Fortunately, if an organization is already compliant with NIST 800-53 or FedRAMP (the security standard for all government contractors generally), they are not far from becoming certified. Likewise, if an organization is compliant with NIST 800-171, they may already fulfill many of the requirements of CMMC. 

A breakdown of CMMC maturity levels

In September 2020, the DoD established CMMC 1.0. The original framework organized security maturity levels into five tiers, but in November 2021, the DoD announced the most recent version, CMMC 2.0, which introduces several key changes, including a more streamlined model that should reduce costs, particularly for smaller organizations. Additionally, CMMC 2.0 organizes maturity levels into three tiers—instead of five.

1. Foundational
   The first tier includes basic cybersecurity hygiene appropriate for small organizations utilizing a subset of universally accepted best practices. This tier only requires an annual self-assessment and attestation by company leadership.
2. Advanced
   The second tier includes coverage of all 110 NIST SP 800-171 controls. This tier will require a CMMC third-party Assessment Organization (C3PAO) to perform a triennial assessment of their CMMC implementation.
3. Expert
   The final tier includes implementing highly advanced cybersecurity controls and processes. The processes involved at this level include continuous improvement across the organization and timely incident response capabilities. The details of this tier are still being defined, but it is expected that it will incorporate a subset of controls from NIST 800-172. Additionally, the organization would be assessed by the DoD and not by a C3PAO. 

Challenges and considerations of CMMC compliance 

CMMC compliance can be challenging for several reasons. The first challenge refers to the extent of CMMC compliance for the organization, whether you are starting from scratch or modifying another cybersecurity framework. The CMMC’s core is comprised of the 14 cybersecurity domains outlined in NIST 800-171. The domains include areas such as access control, awareness and training, and incident response. Within the 14 domains there are 110 controls. These controls include topics like limiting unsuccessful login attempts, ensuring that personnel are trained to carry out their assigned information security-related duties and responsibilities, and testing organizational incident response capabilities. Mapping all these security requirements is not easy and implementing them without a clear idea of what they entail is almost impossible.

Another common challenge with CMMC compliance is cost, and organizations should begin to build budgets to upgrade cybersecurity controls and processes to the levels needed. The costs associated with CMMC compliance depend on several factors:

• Organization size
  The size of the organization may have an impact on project costs; however, the number of employees accessing sensitive information is the more significant driver in determining overall costs of compliance. Thus, organizations should limit the number of employees receiving and using sensitive information. 
• Maturity
  The journey to CMMC compliance will likely cost more and take longer for organizations starting from scratch. For organizations further along in the process, it will be important to consider the current maturity level of documentation development, technology implementation, and what processes and procedures are already documented and in use. 
• Technology implementation
  Achieving compliance will require a combination of policy and technology. The more technologies the organization must implement, the greater the costs. Some of the more expensive technologies include a security incident and event management (SIEM) system and vulnerability scanner.
• Consultants
  Consulting costs should be considered when setting out for CMMC compliance. Organizations often have consultants perform a gap analysis to analyze how well their current cybersecurity program meets—or does not meet—the demands of NIST 800-171. This helps an organization determine whether it complies with the CMMC, or what steps will be necessary to achieve compliance. In other words, a gap analysis can keep the organization’s CMMC compliance strategy on track.

It is important that organizations understand that CMMC compliance is not a one-time expense. Compliance can have an impact on IT support teams, forcing units to spend time on regulated data environments at the cost of supporting broader organizational needs. Ongoing training is necessary to keep stakeholders up to date on the evolving threat landscape. Requirements are also not easy to implement and may have an impact on the organization. Finally, noncompliance carries its own risks, such as not qualifying for new awards or the potential loss of current projects. 

The last challenge to completing CMMC compliance is getting the official certification. Contrary to many other frameworks, the organization must obtain the certification from a C3PAO that has been granted accreditation by the CMMC Accreditation Body/The Cyber AB.

Preparing for CMMC compliance

Before achieving CMMC compliance, organizations should understand their current state of security and determine what level of compliance is necessary. Organizations should perform a gap analysis to analyze how their current cybersecurity program meets—or does not meet—compliance requirements. Following the analysis, organizations should develop a security roadmap that outlines how they will implement requirements to prepare for a CMMC assessment. It will also be important for the organization to determine the scope of the assessment. 

For organizations that are ready to attain CMMC compliance, the next step is to perform the assessment. A CMMC assessment is the process of assessing an organization’s cybersecurity maturity, and it is required to demonstrate an organization’s compliance with the desired CMMC level before being certified. For organizations looking to achieve Level 1 CMMC compliance, an assessment can be performed through a self-assessment. Any organizations that intend to attain Level 2 or 3 compliance need to pass a third-party assessment.

CMMC assessments examine the cybersecurity policies, procedures, controls, and processes to determine compliance with NIST 800-171, NIST 800-172, and any other requirements. The extent of the assessment will depend on the maturity level an organization wants to achieve. The assessor will request information to evaluate the controls and processes protecting sensitive information, which may include previous risk assessments, network diagrams, vulnerability scans, and other relevant documentation. 

Conclusion

In today’s rapidly evolving environment, the DoD is focused on protecting sensitive information from malicious cyberattacks, particularly throughout the supply chain. CMMC offers a structured framework for organizations to strengthen their cybersecurity posture. For organizations doing business or looking to do business with the DoD, CMMC compliance will soon be required to help ensure that contractors are meeting minimum industry standards and cybersecurity best practices. 

While the road to compliance presents challenges like resource allocation and technological adaptation, the journey toward compliance is an ongoing process. To help ensure compliance, organizations should establish transparent ownership and consistent expectations across their enterprise and partnerships.

Read this if you are looking to find balance with digital usage at your organization.

The current digital well-being environment

Over the last few decades, there has been a major shift in the use of smartphones, laptops, tablets, and other devices. Technology has become an integral part of people’s private and professional lives and the constant innovations and improvements in technology have made information much more accessible than ever before. Some people are finding themselves to be too reliant on technology, however, and the transition to a technology-driven environment and constant exposure to screens have led to a serious dilemma for employees and employers: finding a healthy work-life balance. 

Studies have consistently shown the detrimental effects of excessive technology use, which include:

• Physical health concerns, such as vision problems, neck strain, and even heart complications due to extended periods of sedentary behavior.
• Mental health concerns, such as increased stress, anxiety, depression, and a general sense of dissatisfaction with life.
• Social isolation and feelings of loneliness, as digital interactions may not fully substitute for meaningful face-to-face connections.
• Disrupted sleep patterns, as the use of technology before bedtime makes it harder to obtain quality sleep and can lead to sleep disorders.
• Reduced engagement and performance in the workplace, potentially impacting productivity and job satisfaction.

What is digital well-being? 

The negative impacts of excessive technology use can prevent employees from maximizing their potential. This has paved the way for digital well-being, which is an emerging concept designed to help manage some of the inherent risks of increased technology use and help employees find an ideal work-life balance. 

Digital well-being is about creating and maintaining a healthy relationship with technology. It is a subjective and individual experience of understanding the optimal balance between the benefits and drawbacks obtained from technology. A common example of how technology can have a negative impact on employees is the overuse of social media during the workday. This can quickly lead to employee disengagement and decrease work performance. Although many workers rely on technology to perform their jobs, digital well-being is about using technology in such a way that helps employees. Objectives for increasing digital well-being include:

• Developing a clear understanding of the advantages and potential risks associated with technology usage.
• Striking a balance between professional commitments and personal life responsibilities. 
• Cultivating and maintaining meaningful connections with coworkers, family members, and friends. 
• Efficiently managing workload and minimizing digital distractions.
• Actively participating in social and community events and activities.

Why is digital well-being important?

With the shift to a technology-driven environment, the ability to concentrate without distraction is becoming increasingly valuable among employers. An individual’s technological dependencies and habits may decrease their ability to focus for prolonged periods of time, especially if they are constantly interrupted by incoming communications and notifications. Technology should help individuals achieve their private and professional goals, rather than distract them or get in the way.

Digital well-being enables employees to be more engaged and productive, as well as maintain healthier lives outside of the workplace. Adopting leading digital well-being practices can help employees focus on their work and cause less exhaustion and distraction. For example, an employee who checks their smartphone four to five times a day will likely be more productive than someone who regularly checks their device every few minutes. This can result in improved individual performance over time and a greater contribution to team and company performance.

Finding balance in the workplace

As remote work gains popularity and flexible work arrangements become the norm, technology can be both helpful and intrusive. Collaboration tools, such as Zoom and Microsoft Teams, can help keep employees digitally connected but can also be distracting for team members being bombarded with communications and requests. Additionally, employees may be tempted (or expected) to answer communications and continue to work after the workday is over. This makes it hard for employees to separate their work life from their private life. But employers can help their workforce find this balance. 

The National Day of Unplugging, celebrated on the first Friday of March, has been followed by many organizations for several years and encourages people to disconnect from technology for 24 hours and engage in activities that promote well-being. 

Best practices for digital well-being

Ultimately, employees are responsible for their digital well-being. Simple changes made consistently over time can make a big impact. Some best practices for individuals to follow include:

• Be mindful of the information and media you consume online. By engaging with reliable sources, fact-checking information, and balancing digital experiences with offline activities, you can increase your digital well-being.
• Focus on positive aspects and achievements of others online. When you avoid negative social comparisons online, you develop healthier relationships and interactions online.
• Understand and manage your digital identity and footprint. Our online habits and activity can shape how others perceive us and can impact our personal and professional lives. This is especially true for social media. By being mindful of the impact our words and actions can have, we can contribute to a more supportive digital community.
• Express yourself and be creative. It is important to engage in creative activities online that promote mental well-being, boost self-esteem, and enable you to explore your passions and talents.
• Address digital clutter. The accumulation of unnecessary and disorganized digital files, emails, and applications can have a negative impact on productivity and stress levels.
• Optimize workspaces. Whether you are in the office or at home, an optimal workspace can improve productivity and reduce distractions. 
• Distinguish between intentional and passive use of technology. Intentional use involves purposeful engagement, while passive use can lead to mindless scrolling and excessive screen time, which can negatively impact your overall well-being.
• Set boundaries and take breaks. Engaging in offline activities, practicing mindfulness, and setting boundaries with technology allows individuals to recharge, reduce stress, and maintain a healthy balance between digital engagement and self-care.
• Develop a healthy pre-sleep routine. Getting sufficient and quality sleep is essential for overall well-being. Excessive use of digital devices, particularly before bedtime, can disrupt sleep patterns and negatively impact physical health.
• Consider a digital detox. Sometimes we just need a break from digital devices and social media platforms. A digital detox is a period when you disconnect from digital devices and technology, typically for a temporary duration, to reduce screen time and digital distractions and promote overall well-being.

To encourage and help workers find a healthy work-life balance, employers should:

• Foster a positive digital culture. Encourage collaboration, enhance employee engagement, and prioritize well-being. This type of culture can promote effective communication, reduce misunderstandings, and enhance productivity.
• Train employees on how to use digital tools and platforms. Being familiar with technology allows your team to adapt to new tools and stay updated in a fast-paced digital environment.
• Help employees stay focused and limit distractions. You should not only focus on training your team on how to use technology, but also provide guidance on how to concentrate on tasks, be more efficient, minimize interruptions, and achieve goals. 
• Educate employees on privacy and security. This can help your employees feel more confident and empowered in their use of technology and can help reduce the risk of cyberattacks, such as data breaches and ransomware attacks.
• Provide ergonomic support and help optimize workspaces. Whether your team members are in the office or at home, it is important to help create workspaces that support proper posture, comfort, and overall well-being. 
• Collaborate and communicate strategically. Collaboration and communication are critical for teams, particularly for hybrid and remote workforces. At the same time, excessive emails and chats can be distracting and lead to disengagement. Too many meetings, particularly virtual meetings, can also lead to physical and mental fatigue. When possible, find ways to meet face-to-face.
• Support employees on their digital journey. You should provide resources to help your team develop healthy digital habits, manage stress levels, avoid burnout, reduce feelings of isolation, and find a healthy work-life balance.
• Develop a sense of connection and community. This can help create a supportive and inclusive environment that allows team members to share common interests, receive support, engage in collaborative activities, and foster a sense of belonging.
• Check in with employees on a regular basis to verify that their digital needs are being met. Managers should ask targeted questions such as: Are you finding it difficult to disconnect from work after hours? Are there tools you feel that are hindering your productivity or well-being? Do you feel a sense of fulfillment, satisfaction, and purpose in your work?
• Encourage breaks and physical activity throughout the workday. By decreasing the amount of screen time and allowing the brain to rest and recharge throughout the workday, team members can reduce eye strain, fatigue, and other physical discomforts, improve productivity, reduce stress levels, elevate mood, and enhance creativity. Your organization may consider implementing activity challenges to promote physical activity and encourage healthy behaviors.  
• Encourage employees to disconnect. Managers should set clear expectations for when employees need to be available and advise them only to contact one another after hours with urgent matters. Additionally, when possible, employees should have the ability to turn off notifications on personal devices after workday hours.

Conclusion

It is important for organizations to recognize the impact of technology on employee health and happiness. In today's current environment, technology is an essential part of daily operations, and its overuse can quickly lead to burnout, stress, and decreased productivity. 

Being proactive about employee digital well-being leads to a more supportive work environment that benefits both employees and the organization. This can lead to higher productivity, increased job satisfaction, and reduced turnover rates. Additionally, it sends a clear message to current and potential employees that the organization cares about their well-being, which can help to attract and retain top talent. 

Digital well-being resources

If you would like more information about digital well-being or have questions about your specific situation, please contact our Well-being Consulting team. We’re here to help.

Read this if you are concerned about cybersecurity.

A glance at the current cybersecurity landscape

Cybersecurity has become a priority for organizations of all types. From small to large businesses, and government agencies to non-profits, leaders must consider an increasing number of cyber threats, risks, and vulnerabilities. The cost of handling a cyber incident can be alarming, and so nearly every cybersecurity-related decision must be measured against its effect on the organization’s cyber risk profile. 

Many leaders manage cyber threats by implementing the best controls and systems their budget will allow in order to mitigate cyber risks and improve their overall cybersecurity posture—this is wise. But regardless of how diligent an organization is, there is always the possibility that a zero-day vulnerability is exploited by a threat actor or that an employee falls victim to a social engineering attack.



Unaddressed gaps in an organization’s cybersecurity controls—which have become increasingly evident during the COVID-19 pandemic—are making it easier for threat actors to target and carry out cyberattacks. These attacks are increasing in frequency and complexity and organizations of all sizes in all industries are being targeted.

Instead of accepting the potential financial risks associated with cyberattacks, many organizations are beginning to consider a more pragmatic approach, similarly to how they address other organizational risks and uncertainties: they transfer some of the financial risk to an insurance company (at a cost of course). In the event of a cyberattack reputational or operational risk still resides within the organization, it can be helpful to use cybersecurity insurance to help with the financial impacts of cyberattacks. 

What is cybersecurity insurance and why is it important?

Cybersecurity insurance, also called cyber insurance or cyber liability insurance, is a type of insurance policy that provides organizations with a combination of coverage options to help protect against the financial losses caused by cyber incidents like data breaches, ransomware, and other cyberattacks. Cybersecurity insurance coverage works just like other insurance policies that cover financial losses in the event of physical risks and natural disasters.

Cybersecurity insurance policies can cover financial costs associated with legal fees and expenses, notifying customers about a data breach, restoring personal identities of affected customers, recovering compromised data, repairing damaged computer systems, as well as other potential costs. Financial assistance with notification to those impacted by a breach is getting increasingly more important because more and more states are requiring organizations to notify customers of a data breach involving personally identifiable information (PII) in a timely manner—a process that has proven to be very expensive. For example, the California Consumer Privacy Act (CCPA) requires organizations to notify all California residents who were affected by a data breach without unreasonable delay. Other states have enacted similar requirements. 

A cybersecurity insurance policy can be a valuable component of an organization’s cyber risk management program, as it is designed to improve the organization’s cyber risk profile—at least in terms of financial risk. However, a cybersecurity insurance policy should only be considered after an effective cybersecurity strategy, with sufficient cybersecurity controls in place, has been implemented. In other words, cybersecurity insurance should complement an organization’s existing cybersecurity processes and technologies to help reduce the financial burden of a potential cyberattack, but it should not be the only strategy that is implemented by an organization. 

Who should buy cybersecurity insurance?

All organizations that create, store, and manage electronic data online, such as PII, protected health information (PHI), and personally identifiable financial information (PIFI), can benefit from cybersecurity insurance; however, enterprise risk management drives cybersecurity decisions, and that includes whether to purchase cybersecurity insurance or not.

Due to the increasing number of cyberattacks over the last few years, the cybersecurity insurance market is evolving and becoming more complex, and many organizations are choosing to forgo this type of insurance because of increasing costs. In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) is encouraging organizations to focus on improving their cybersecurity controls first, in order to receive cybersecurity insurance coverage at more affordable rates.

Even before the COVID-19 pandemic, insurance companies had been tightening requirements for coverage and asking for more evidence that organizations are doing their due diligence to mitigate against cyberattacks. Whether it is detailing backup procedures or answering questions on specific security controls or systems in place, organizations looking for cybersecurity insurance can expect a more rigorous underwriting process going forward—the days of simple questionnaires are over. 

How to lower cybersecurity insurance costs

Fortunately, for organizations interested in purchasing cybersecurity insurance, there are ways to decrease premium costs. This includes implementing strong identity security controls and following industry best practices to protect against phishing and credential theft, ransomware, data breaches, and other cyber risks. More specifically, this includes implementing a robust cybersecurity strategy comprised of layered security controls. Examples of cybersecurity controls and best practices that insurance companies look for are included in the table below. By demonstrating that these controls are implemented and best practices are followed, an organization can significantly reduce their cybersecurity insurance premiums. 

Conclusion

Organizations can accept the risk of financial loss from a cyberattack, avoid risky endeavors, implement cybersecurity controls and systems, and adhere to industry best practices, but some risk of a cyberattack will remain. 

The most important step an organization can take to help prevent cybersecurity attacks or mitigate the impact of a cyber incident is to focus on improving cybersecurity controls, processes, and technologies. By doing so, the organization is not only reducing potential risks, but also positioning itself to purchase cybersecurity insurance coverage at more affordable rates. While each insurance company’s evaluation process varies, there are certain security controls that are almost always required for an organization to acquire cybersecurity insurance coverage. This often involves Identity and Access Management (IAM) controls and best practices in alignment with industry standards put forth by the Center for Internet Security (CIS), CISA, and others.

For organizations looking to address the financial costs associated with cyber risk, they should look to an insurance company to understand if the cost of insurance and coverage received would complement their existing cybersecurity risk management program. However, in the event of a cyberattack, it is critical the organization understands that other risks such as reputational and operational risk will always remain, regardless of the insurance coverage.

If your organization is interested in purchasing cybersecurity insurance, the following link provides more information and general tips on what your cybersecurity insurance policy should include: Cyber Insurance | Federal Trade Commission.

Below are some helpful takeaways from recent breach reports to consider: 

Sources:
Cyber Readiness Report 2022 | Hiscox
Cost of a data breach 2022 | IBM
2022 Data Breach Investigations Report | Verizon