With organisations increasingly making use of cloud infrastructure in their supply chains, even the most well-defended enterprises can be exposed to cyber threats. The move to public, private, and hybrid clouds has reinforced the need for greater shared responsibility and more education among all parties involved.
One of the challenges around customer data being stored on a cloud with varying levels of access is that users may not have any leverage to gain meaningful insight into vulnerabilities that are outside their control. That lack of insight can make it difficult for underwriters to assess security protections and any associated risks.
Against this backdrop, organisations need to know what they are buying into as they transition more of their business operations into the cloud. Organisations also need to understand where their vulnerabilities lie and what due diligence around cybersecurity they can realistically carry out through independent scans or the use of other third-party solutions.
These insights were shared during a panel discussion of cybersecurity experts on the growing risk of systemic threats and supply chain risk.
Here are three key takeaways:
“Know what you don’t know” with cyber coverage. Insurance and organisation leaders need to be aware of the limitations of cloud vulnerability scanning: What can’t be scanned and why. Companies can then make investments to reduce those residual risks and the likelihood of impact.
Cybersecurity is not a silver bullet. Investing heavily in cybersecurity tools won’t make a company 100 percent resilient. There is a point at which the law of diminishing returns applies, and it becomes clear that education around how to use cybersecurity tools effectively and follow best practices is more important. IT departments need to be willing to test the knowledge of the average employee all the way up to the CEO.
Underwriters may know very little about an applicant’s cybersecurity. Questionnaires on cybersecurity from insurers can lose relevance over time. Information submitted by applicants may not always be accurate, and underwriters often have no way of knowing if a company is under attack at the point of issuing a policy. Real-time monitoring of cloud security and third-party review – whether it’s contracted by an insurer or the insured – should be considered a best practice in ensuring coverage is appropriate.
Verisk offers a full suite of Cyber Solutions that help underwriters accurately identify their exposures and collaborate more with their insureds around proper cyber risk management.
