The Travelers insurance company has teamed up with Symantec to give policyholders cyber security assessments and consultation in order to help them manage risks.
The self-assessment consists of filling out a 25-question survey and getting a written report of how well their network and data protection stacks up. If they want to, they can talk to a consultant who walks them through the results and recommends steps they could take to remediate risks.
+More on Network World: Synack: Hackers wanted after firm gets $21.25M funding from Microsoft, HPE+
There are no guarantees, but if the customers act on the recommendations and let The Travelers know about it when they are renewing their policies, upgrades would be taken into account when the new rate is set, says Tim Francis, the company’s cyber-enterprise lead.
The Travelers doesn’t see the results of the assessments, and customers are not required to participate.
It’s in the best interest of insurance companies and their customers to minimize risks, and The Travelers already had an ongoing eRisk Hub, a Web portal with resources to improve risk posture and calculate potential costs of incidents.
When shopping for cyber insurance, Francis recommends working with a broker familiar with policies available from a variety of insurers who can steer businesses through the ins and outs of the different offerings. These agents are aware of the products and can match them to individual customers’ risk.
There is much organizations can do to improve their risk posture, Francis says. It’s important to inventory the type of personal information the company stores and trim that back as much as possible in order to reduce their risk exposure, he says.
+More on Network World: Startup founded by FireEye alum goes after FireEye+
With the declining price of storage, many companies are keeping data indefinitely on the chance that eventually they will find a way to monetize it. But he says they need to make a business decision on whether information is business-critical and whether they should have it at all. As a part of good data hygiene, they should set up processes and procedures to govern its use, retention and protection.
“If they demonstrate good protection, that will likely lead to better pricing,” he says.
But it’s not just protecting data. It’s also whether the organization is prepared for incidents and whether they have practiced their incident response.
From the insurer’s perspective providing cyber insurance is a tricky business, given the speed at which criminals are developing new attacks. Ransomware was a relatively minor problem just a few years ago that has blossomed into a huge underground industry.
“That’s a significant challenge for us,” Francis says. “Changes to insurance policies and pricing and underwriting don’t move at the same pace as technology and how it might be compromised.”
To help out, insurance companies are hiring a new category of employee. For The Travelers, that includes hiring corporate security pros and former FBI agents specializing in cybercrime. The idea is for the insurers to make more sense of the threat environment so they can develop better models for writing cyber insurance.
The goal is to find the right insurance products to sell and the best way to underwrite them, he says.
Cyber insurance as an industry is estimated to be about $3 billion today but could grow to $5 billion to $7 billion in the next few years.