topic Cyber Insurance used to increase security in Industry News https://community.isc2.org/t5/Industry-News/Cyber-Insurance-used-to-increase-security/m-p/46257#M5516 <P>Interesting paper from the Royal United Services Institute (RUSI) titled: Cyber Insurance and the Cyber Security Challenge.</P><P>&nbsp;</P><P><STRONG>Mission Statement of RUSI</STRONG>: As an independent institution, we produce evidence-based research, publications and events on defence, security and international affairs to help build a safer UK and a more secure, equitable and stable world.</P><P>&nbsp;</P><P><A href="https://rusi.org/about" target="_blank" rel="noopener">About | Royal United Services Institute (rusi.org)</A></P><P>&nbsp;</P><P>Essentially the rough steps on improving overall security posture by way of Cyber Insurance:</P><OL><LI>Insurance companies all agree on minimum baseline security standards, e.g., NIST, ISO, Cyber Essentials, etc.</LI><LI>Make cyber coverage mandatory for all government agencies and their suppliers.</LI><LI>Enact legislation to make cyber insurance mandatory for large and SME, just like professional liability insurance coverage</LI></OL><P>Proposed <STRONG>Pre-Incident</STRONG> Services Insurance Companies can provide in partnership with MSSP’s:</P><UL><LI><STRONG>Staff Training</STRONG>: This generally involves phishing-focused training. For larger businesses, training may also include scenario-based tabletop exercises with senior management.</LI><LI><STRONG>Cyber risk rating services and vulnerability scanning</STRONG>: Rather than using these tools as part of an initial risk assessment, some insurers use them off cycle to monitor internet-facing IT infrastructure or provide organizations with direct access to them.</LI><LI><STRONG>Threat intelligence services</STRONG>: These types of services might involve deep and dark web monitoring to identify specific mentions of an organization, or using claims incidents to create security alerts or identify trends</LI><LI><STRONG>Access to a virtual CISO</STRONG>: This provides organizations without a senior cyber security manager with access to expertise</LI><LI><STRONG>Password management solutions</STRONG></LI></UL><P>Of course, there are issues involved with this plan and are detailed in the paper here: <A href="https://static.rusi.org/247-op-cyber-insurance-v2.pdf" target="_blank" rel="noopener">Cyber Insurance and the Cyber Security Challenge (rusi.org)</A></P> Thu, 01 Jul 2021 18:16:06 GMT tmekelburg1 2021-07-01T18:16:06Z Cyber Insurance used to increase security https://community.isc2.org/t5/Industry-News/Cyber-Insurance-used-to-increase-security/m-p/46257#M5516 <P>Interesting paper from the Royal United Services Institute (RUSI) titled: Cyber Insurance and the Cyber Security Challenge.</P><P>&nbsp;</P><P><STRONG>Mission Statement of RUSI</STRONG>: As an independent institution, we produce evidence-based research, publications and events on defence, security and international affairs to help build a safer UK and a more secure, equitable and stable world.</P><P>&nbsp;</P><P><A href="https://rusi.org/about" target="_blank" rel="noopener">About | Royal United Services Institute (rusi.org)</A></P><P>&nbsp;</P><P>Essentially the rough steps on improving overall security posture by way of Cyber Insurance:</P><OL><LI>Insurance companies all agree on minimum baseline security standards, e.g., NIST, ISO, Cyber Essentials, etc.</LI><LI>Make cyber coverage mandatory for all government agencies and their suppliers.</LI><LI>Enact legislation to make cyber insurance mandatory for large and SME, just like professional liability insurance coverage</LI></OL><P>Proposed <STRONG>Pre-Incident</STRONG> Services Insurance Companies can provide in partnership with MSSP’s:</P><UL><LI><STRONG>Staff Training</STRONG>: This generally involves phishing-focused training. For larger businesses, training may also include scenario-based tabletop exercises with senior management.</LI><LI><STRONG>Cyber risk rating services and vulnerability scanning</STRONG>: Rather than using these tools as part of an initial risk assessment, some insurers use them off cycle to monitor internet-facing IT infrastructure or provide organizations with direct access to them.</LI><LI><STRONG>Threat intelligence services</STRONG>: These types of services might involve deep and dark web monitoring to identify specific mentions of an organization, or using claims incidents to create security alerts or identify trends</LI><LI><STRONG>Access to a virtual CISO</STRONG>: This provides organizations without a senior cyber security manager with access to expertise</LI><LI><STRONG>Password management solutions</STRONG></LI></UL><P>Of course, there are issues involved with this plan and are detailed in the paper here: <A href="https://static.rusi.org/247-op-cyber-insurance-v2.pdf" target="_blank" rel="noopener">Cyber Insurance and the Cyber Security Challenge (rusi.org)</A></P> Thu, 01 Jul 2021 18:16:06 GMT https://community.isc2.org/t5/Industry-News/Cyber-Insurance-used-to-increase-security/m-p/46257#M5516 tmekelburg1 2021-07-01T18:16:06Z