Return to blog index

Trends We’re Seeing in Cyber Insurance

Cyber Insurance companies are starting to enforce compliance for small and mid-market companies. Nobody is immune to compliance when anyone can be a victim of cyber attacks.

Posted on · Last updated on

Hi, my name is Matt Mulcahy.

I’m the Director of Business Development at ProSource.

And today I wanted to touch on an emerging trend that we’re seeing in the space,

which are the insurance companies requiring small and mid-market companies

to really be strict about their adherence to specific compliance frameworks.

Today, I wanted to just look at a recent assessment

that we helped a customer complete and maybe touch on some of the high points

that we see are becoming challenges

and contention points with some of our customers.

What we’re looking at right now is a standard security assessment.

We do a few of these a week.

They’re consistently being sent over to us to update

and make sure that any changes or compliance framework

updates are being captured and cataloged, and sent back to the

Risk Assessment Agency.

So as you can see, this is very large.

There’s multiple tabs at the bottom going all the way to Z

and it can be quite overwhelming for customers to fill this out themselves.

So that’s generally where we come in.

We can help on a one-off basis, but a lot of the times we’re already doing

managed IT for these firms,

and we’re helping them move towards this compliance state.

So in this instance, you know, they’re looking for ISO 27002.

What we find with these

auditing agencies is generally there’s a framework they’re looking for.

But if you’re already working towards compliance under another framework —

it might be NIST,

it might be HIPAA — that generally can suffice in these instances.

So they’re asking very explicit questions here, looking for

very specific things that obviously map to controls within the ISO framework.

But what we see is if you’re already doing something similar,

and it’s mapped to controls within another framework that generally satisfies

a lot of what these third parties are looking for.

So just because they’re asking the question doesn’t

mean you may need to have that specific thing.

But if you can prove that you are working towards compliance in another framework,

it might not map explicitly to what they’re looking for.

That’ll generally satisfy whatever control they’re looking for.

So, you know, for this one they’re looking at:

“Is there a documented process to identify and assess regulatory changes

that could significantly affect the delivery of products and services?” So

really, that’s making sure that you have someone on your team

that is constantly looking at those changes.

So in the HIPAA framework, you have to have a named Compliance Officer.

So this is an instance where they may be looking for something with an ISO —

and this actually isn’t going to map, so this is a standalone question.

But you know, if you if you go back to them and say, “Hey,

we’re doing this under HIPAA by having a named Compliance Officer

that’s reading all the HHS (Health and Human

Services) updates that are being published on a monthly basis.” So

working through these can

be very exhausting and overwhelming, especially if you have nothing in place.

But generally some people have

a lot of these in place already and they’re not documented well.

So making sure that you work towards a state where not only do

you have the controls in place, but you have the documentation to back it.

And a lot of these questions here, I’m sure I can find out very quickly.

A lot of these questions here will refer to documentation.

So, you know, does

does the risk governance

plan include risk management policies, procedures, and internal controls?

So it’s not enough just to have the internal controls.

You need to have the associated documentation.

And what we always say is, you know, policies drive the practices.

So the policies generally get developed first.

They get approved and then you roll the technology changes.

That’s generally kind of the process we see in IT change management.

These can be very gigantic.

I’m not going to go over every single tab.

But what we’re seeing is that independent insurance agencies

are pushing these down to the smaller businesses and mid-market businesses.

And, you know, the traditional defense was: “We’re too small for this.

We can’t afford this.” And that just doesn’t fly in this day and age.

Everyone’s a target from a hacking standpoint.

It doesn’t matter how big or small you are,

you can be monetized with ransomware and then that has downstream implications

on the insurance payers and the huge payoffs

that they have to stomach and why we’re seeing such a push to make sure

that everyone that they’re insuring has very robust cybersecurity and controls.

So if you have any other questions, feel free to reach out to me and I’m happy

to talk about this at any time.

Just wanted to really touch on a recent

assessment that we got.

And so you know that everyone is really in scope

for having robust cybersecurity in this day and age.

There’s no excuse not to, and you have to have it at every growth stage

within your business’ path as they go forward.

Once again, my name is Matt from ProSource.

We post — trying to post — about weekly now.

Give us a follow if you have any interest in cybersecurity, IT, or compliance.

And thanks for watching and have a great day.

Speak with an IT expert

Schedule a free, 30-min consultation with one of our IT experts — if, after the call, you didn’t get any value, we’ll buy you a coffee!

Check out our resource library

We’re always adding new content to our digital library. Our blog articles, guides, and customer stories cover a broad spectrum of topics like emerging tech, industry-specific regulations, and security best-practices — just to name a few.