Cyber security incidents continue to increase in both frequency and intensity, and this summer has seen a number of high-profile global ransonware attacks. All of this has put the spotlight on cyber preparedness – what an organization does to safeguard against an attack and how it reacts in the event one occurs.
Information Management spoke with Tim Francis, enterprise cyber lead at Travelers Insurance, about how well organizations typically do with a cyber defense program, and what Travelers requires of an organization if it is to insure it against loss from a data breach.
Information Management: Insurers that provide cyber insurance have requirements of the organizations they insure for cyber security defense measures and plans. What are your expectations of such organizations?
Tim Francis: It depends on the size of the organization and the type of coverage that they’re getting. The larger the organization and the more complex their exposures are, the more rigorous the underwriting will be. Smaller companies often will go through a potentially less rigorous underwriting process.
What we’re trying to ascertain is how well they secure themselves against cyber-related incidents on a number of facets. Those can include the technical security, processes and procedures they have in place from a personnel standpoint; how well are they prepared to handle an event if one takes place; and if an event should take place, then ultimately what are the financial ramifications of that. We’re trying to see how seriously they take cyber security and data information protection, and also get a sense of the culture of the organization.
IM: From your experience, do organizations typically do a good job of implementing cyber security defensive measures and policies?
Francis: It really is on a case-by-case basis. Certain industries have gotten to be reasonably good, but there’s often a tension between finite resources that can be applied and how best to deploy them. There are plenty of organizations that we look at that on the outside you would think would have sufficient resources and adequate protections – relative to their peers, relative to other organizations of the same size and in the same industry – but often they do not.
IM: Where do laggard organizations typically fall short in their cyber defense programs?
Francis: Often, it’s probably not just one area, or the areas can differ from organization to organization. For example, some might have implemented adequate software called technical security features, but may not have appropriate employee training or processes. And vice versa: Some might do a really good job on the people, but not have the technical infrastructure. If there is one commonality, particularly in mid-sized companies, they often have an IT department that is mostly focused on running the business operations, and not enough dedicated resources specifically to information and network security.
IM: What do leader organizations do that separates them from the pack?
Francis: It’s a willingness and an embrace by the senior executives of the organization from the top down to treat both network and information security seriously. It’s also empowering their people with the right resources to adequately defend the organization and prepare the organization in the event of a breach, and to take seriously the implications to such an event.
IM: Do you require that a customer have a chief security officer in place, and if so, what are your expectations of that individual?
Francis: There’s not a standard requirement. For certain organizations, particularly small ones, it isn’t reasonable for them in many cases. While we’d love to see that there is a CISO, it isn’t practical. But for larger organizations, yes, we do have an expectation that there would be a CISO.
IM: Ransomware attacks have grabbed the lion's share of headlines lately regarding cyberattacks. How does ransomware impact your dealings with a customer that is breached?
Francis: We’ve seen ransomware increase significantly over the last several years, the last year in particular. It’s one of the most frequent events that our customers face. When those events take place, often it isn’t the cost of the ransom that is most significant to the customer. It’s those situations in which the data is encrypted and particularly where the systems are not backed up and they’re unable to operate their system. The value of having good insurance and a good insurance partner is not only to help pay for those costs, but to synch them up with the professional experts that can help get them back up and running as soon as possible.
