How it works and how it should work
You are the director of a non-profit IT shop. You don't have a huge budget, but you have a lot of cyber exposure with hundreds of assets across a dozen local clients. These clients are the bedrock of your community, themselves providing services to innumerable high risk people in need. The clients are staffed with compassionate people serving others and they are receiving the same phishing threats you do.
Your biggest fear is that tomorrow you will come into the office to find that one of them has taken the bait and a cybercriminal has penetrated the network locking you out. They demand an enormous ransom and your IT shop is going to have to hope for an angel investor or close up.
You have talked to traditional cyber vendors that throw around fancy tools well above your budget and manpower to implement. Your commercial insurance broker asks you if you want a cybersecurity insurance policy and the relief washes over you. Now with the policy in place, even if a breach happens, they will pay out for the recovery and other costs associated.
Months later, a ransomware attack does happen. True to word, the carrier comes through on the policy and you end up only incurring a small amount of cost.
The problem is that your backup strategy was haphazard and the incident responders from the insurance company decided it was best to pay the ransom. You didn't like the thought of helping cybercriminals but are glad to still be in business.
The next year your premiums go up by 50%. Not unexpected, as auto insurance rates are notorious for increasing after even a fender bender.
The next year the company informs you matter-of-factly that your policy will not be renewed and you have 2 months to find new coverage. You are right back to that original fear of being shut down if someone decides to target you again. Your broker connects with you several new carriers that send cryptic questionnaires about security practices that don't make sense.
Is it possible to get back to a feeling of security?
---
You are the director of IT at a small manufacturing company. You have a lot of advanced manufacturing capabilities that rely on local workstations and cloud services. An annual risk audit determines a cyberattack on your manufacturing network would be catastrophic and the company would likely shut down.
Fortunately, you can purchase cybersecurity insurance to transfer this risk. Your insurance broker recommends this for growing companies your size.
He has a simple questionnaire that asks a handful of questions about the revenue, IT assets, and specific activities. You are then matched with three different carriers who provide quotes and specific requirements you have to meet.
You are doing many of the required activities today and note the remaining few are clear to understand and simple to implement. The insurance company needs to do a technical audit of your controls and then you are underwritten.
They periodically send information about new high risk vulnerabilities that affect your network. Taking care of these in a timely manner gives you additional breaks on your renewal.
Every few months you are alerted to some malware on the network but the simple controls implemented have ensured you are fine.
Cyber risk managed.