November 17, 2020
Good morning, everyone!
Cyber Liability Insurance
This is something that people ask me about fairly often. So here’s my opinion and some references for you. Start here:
- Be as secure as you possibly can be
The first thing you want to do is achieve the highest level of security your organization is able to tackle. Why? Because the stronger your security, the less chance of having a major cyber incident – and the lower your cyber liability insurance premiums will be! So start with a security assessment by a reputable third party like my company and implement as many of their suggestions as you can. These are exactly the things that show up on your insurance application and affect your premiums.
- Be as compliant as you can afford to be
In an ideal world, security and compliance would be the same thing. Unfortunately, this is not an ideal world. Security is about measurable outcomes (“I do this thing and I get this result”). Compliance is about accountability and liability (“I need to check this box”). If you focus on security first, your compliance will be easier and your overall risk reduced.
- Assess your exposure
What are the chances of your organization being hacked? And what are the consequences? There are several factors that have a significant impact on these determinations:
- Are you in a high- or low-risk industry? A few years ago, retail merchants were at the highest risk, but recently healthcare and manufacturing have taken the top two spots.
- What kind of data do you store? Is it the kind of data that cyber criminals want to steal?
- How strong is your information security program? Do you have a “culture of security” in your organization that makes you feel confident your employees are practicing safe behavior online? Do you have good policies and procedures, and training for your employees? Do you have good backups that are secure, encrypted and verified?
- Determine your appetite for risk
This is one that many people don’t think about. What is your appetite for risk? Look at your car insurance. What’s your deductible? $250? $500? $1000? $5000? That’s a good indicator of your personal risk appetite. When looking at cyber liability insurance for a business, you need to know what is the appetite for risk of the business owner and/or primary stakeholders.
- Purchase insurance accordingly
The U.S. Chamber of Commerce recently published a good article on the steps to take before deciding to purchase cyber liability insurance, and what to look for when shopping around. As always, if you have questions or wish to discuss further, ping me.
More about the ”shared responsibility model” for security in the Cloud
A few months go I wrote a piece on the “shared responsibility model” of cloud security. I’m sure it was the first time some of you had read about it. It’s been in the news a lot lately, though, so I thought this a good time to revisit.
Both Microsoft and Amazon Web Services (AWS) have recently announced initiatives to help small businesses in particular meet their obligations under the upcoming `Cybersecurity Maturity Model Certification (CMMC) for all defense contractors and their suppliers. In reading their announcements, I saw the phrase “shared responsibility model” all over the place! Microsoft states: ”Microsoft and industry partners will help customers identify and close gaps, supplementing tenant certification efforts with a shared-responsibility model. ” AWS is a bit more explicit:
Security and compliance is a shared responsibility between AWS and the customer, extending to certifications such as CMMC. The Shared Responsibility Model can help relieve the customer’s operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities where the service operates. The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software, as well as the configuration of any AWS security products like AWS Config, Amazon GuardDuty, and AWS WAF. Organizations should carefully consider the services they choose as their responsibilities vary depending on the AWS services used, the integration of those services into their IT environment, and published DoD CMMC guidance. The nature of this shared responsibility also provides the flexibility and control that permits the customer to leverage cloud capabilities and technologies to meet specific CMMC capability requirements.
Remember, the shared responsibility model applies to ALL cloud services, not just those for the CMMC. If you are going to put it on the cloud, make sure you know the boundaries of your responsibilities and those of your cloud service provider. And make sure you have the ability to meet your responsibilities first!
What is your biggest security-related challenge?
I'd love for you to reply to this email with just one sentence, one phrase or even one word. What is your biggest security challenge? What do you worry about? What do you fear? What do not understand? I'll tackle everyone's answers in future newsletters! I want to be sure that the information I'm providing each week is relevant to YOU.
Have a great week!
- December 3: Ethical Duties: Practical Strategies for Safeguarding Client Information (1 hr ethics CLE)
December 10: Ethical Duties: How Technology is Undermining Attorney-Client Confidentiality (1 hr ethics CLE)
- December 15: "An Introduction to Preparing for the CMMC
Security Awareness Training Goes Virtual
Thanks to COVID-19, lots of things are going virtual, and that includes my employee Security Awareness Training. I've set up a small studio in our conference room (nobody there but me) so I can provide live training (almost) just like before! You can see me wave my hands and make faces while a wall of fascinating facts and practical tips slideshow across your screens, wherever you and your employees may be.
Contact me to schedule your employee training sessions. They're fun! ☺