One of the interesting aspects of the rapid rise of cyber liability insurance over the last three or four years has been the very limited underwriting process that takes place for many policies.
An underwriter’s job is to make sure that the insurer charges just the right amount for the coverage it provides. They figure how much risk you represent, how much coverage the company can offer you, and how much that coverage should cost.
In short, underwriting represents the due diligence the insurance company does to make sure that their policies are going to be profitable. As claims and premiums have rapidly increased over the last year or so, so has scrutiny in the underwriting process.
We have noted that recent cyber liability insurance applications are beginning to look more like Vendor Risk Management questionnaires. But the problem with any questionnaire-based approach is that it’s “first-party” attestation: you’re telling the insurance underwriter what you are doing and they are trusting what you tell them.
In a perfect world, the underwriter could conduct its own audit (a “second-party” attestation) and confirm what you are or are not doing. The challenge there is that, in many instances, the cost of the underwriting process could consume a large percentage of the premium the insurance company is collecting, which obviously isn’t a viable option.
The logical evolution has been for the insurance underwriters to consider using third-party attestation (an independent/objective party that asserts to the security posture), which we are just beginning to see. Several ISO 27001 certified clients have had their premiums reduced because of their certificate—which represents a third-party attestation. Further, Allied World recently agreed to offer preferred terms and conditions to health care companies for HITRUST CSF certification.
So if you already have a strong form of attestation (e.g., ISO 27001, HITRUST, SOC 2, FedRAMP), this is good news. If you don’t yet have a good form of attestation, this may be one more consideration for doing so.