Interesting paper from the Royal United Services Institute (RUSI) titled: Cyber Insurance and the Cyber Security Challenge.
Mission Statement of RUSI: As an independent institution, we produce evidence-based research, publications and events on defence, security and international affairs to help build a safer UK and a more secure, equitable and stable world.
About | Royal United Services Institute (rusi.org)
Essentially the rough steps on improving overall security posture by way of Cyber Insurance:
- Insurance companies all agree on minimum baseline security standards, e.g., NIST, ISO, Cyber Essentials, etc.
- Make cyber coverage mandatory for all government agencies and their suppliers.
- Enact legislation to make cyber insurance mandatory for large and SME, just like professional liability insurance coverage
Proposed Pre-Incident Services Insurance Companies can provide in partnership with MSSP’s:
- Staff Training: This generally involves phishing-focused training. For larger businesses, training may also include scenario-based tabletop exercises with senior management.
- Cyber risk rating services and vulnerability scanning: Rather than using these tools as part of an initial risk assessment, some insurers use them off cycle to monitor internet-facing IT infrastructure or provide organizations with direct access to them.
- Threat intelligence services: These types of services might involve deep and dark web monitoring to identify specific mentions of an organization, or using claims incidents to create security alerts or identify trends
- Access to a virtual CISO: This provides organizations without a senior cyber security manager with access to expertise
- Password management solutions
Of course, there are issues involved with this plan and are detailed in the paper here: Cyber Insurance and the Cyber Security Challenge (rusi.org)
