Interesting Cybersecurity Development in the Insurance and Vendor Risk Arena

Often one of the benefits of working with a capable cyber risk broker or insurer is that the covered business has access to supplemental services ranging from security assessments to budget-priced post-incident legal support. These benefit the insurer and the company by helping to improve the security posture of the insured. Indirectly, such cyber risk assessments also benefit the company’s customers and owners, so it’s a nice win all around.

Last week a group of cyber risk brokers and insurers, led by the brokerage unit of Marsh & McLennan, announced the Cyber Catalyst program that takes the prophylactic role a predictable step further. According to the Marsh website for the program “In the Cyber CatalystSM program, leading cyber insurers evaluate and identity solutions they consider effective in reducing cyber risk. Participating insurers include Allianz; AXIS; AXA XL, a division of AXA; Beazley; CFC; Munich Re; Sompo International; and Zurich North America.  Microsoft is a technical advisor to the program.”

There is over a $100 billion market for cybersecurity products and service. If the Cyber Catalyst team is willing to step up as a reasonably independent arbiter of more or less reliable security tools (subject to predictable caveats), that would be a significant benefit to buyers in the sector (almost everyone). There is reason to think that the vetting program would be more independent than existing reviewers as the driving incentive for the program participants is the identification of security tools that demonstrate effective protections.

But There Is No Silver Bullet (or a Wooden Stake, if confronting Vampires)

The announcement by Marsh and its partnering firms is a good step toward sorting through all of the marketing spin from vendors. (For a good, substantive rant on the topic, see the interview with Tenable’s CEO Amit Yoran, stating that “A good chunk of the cybersecurity industry is “smoke and mirrors,” with companies hawking shiny products that aren’t needed to block most hacks.”) But even with the Marsh program, it is critical for organizations to understand that even the best technology is merely a component of an effective security program. During a recent Georgetown Law Corporate Counsel Institute program, our cyber risk panel concurred that any organization must get the basics correct and that no super duper firewall or data loss prevention tool will overcome the inept or intent employee.

Good cyber risk insurance coverage can be an important component of an organization’s broader risk management approach, along with the proper selection and use of security technology. But the successful company will use these resources in the broader context of a mature cybersecurity program leveraging a suitable framework. For example, the ISO 27001 and NIST Cybersecurity Framework are comprised of a family of standards all related to information security. Each of these helps an organization to ask more strategic questions like how are we doing? What do we want to achieve? And When do we want to get there? The program framework provides the components for assessing program maturity, benchmarking, and ensuring the engagement of company leadership. We’ve written before on the benefits of the NIST Cybersecurity Framework.

In the end, good security is a team sport. It is not simply the purview or responsibility of the IT team, and if senior management and each employee is not appropriately involved no amount of technology toys will protect an organization from the inevitable.

Let’s be careful out there.