Reducing Cyber Liability Insurance Costs with ISO 27001 and HITRUST?

March 25, 2016

Last Updated on January 19, 2024

One of the interesting aspects of the rapid rise of cyber liability insurance over the last three or four years has been the very limited underwriting process that takes place for many policies.
An underwriter’s job is to make sure that the insurer charges just the right amount for the coverage it provides. They figure how much risk you represent, how much coverage the company can offer you, and how much that coverage should cost.
In short, underwriting represents the due diligence the insurance company does to make sure that their policies are going to be profitable. As claims and premiums have rapidly increased over the last year or so, so has scrutiny in the underwriting process.
We have noted that recent cyber liability insurance applications are beginning to look more like Vendor Risk Management questionnaires. But the problem with any questionnaire-based approach is that it’s “first-party” attestation: you’re telling the insurance underwriter what you are doing and they are trusting what you tell them.
In a perfect world, the underwriter could conduct its own audit (a “second-party” attestation) and confirm what you are or are not doing. The challenge there is that, in many instances, the cost of the underwriting process could consume a large percentage of the premium the insurance company is collecting, which obviously isn’t a viable option.
The logical evolution has been for the insurance underwriters to consider using third-party attestation (an independent/objective party that asserts to the security posture), which we are just beginning to see. Several ISO 27001 certified clients have had their premiums reduced because of their certificate—which represents a third-party attestation. Further, Allied World recently agreed to offer preferred terms and conditions to health care companies for HITRUST CSF certification.
So if you already have a strong form of attestation (e.g., ISO 27001, HITRUST, SOC 2, FedRAMP), this is good news. If you don’t yet have a good form of attestation, this may be one more consideration for doing so.

What's Next?

To hear this practical, best-practice oriented show with Temi Adebambo

Click Here

Pivot Point is now part of CBIZ. Click Here for more information.

Blog

Reducing Cyber Liability Insurance Costs with ISO 27001 and HITRUST?

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

How Much Does ISO 27001 Certification Cost in 2024?

What is Distributed Ledger Technology (DLT) and How Can It Simplify Privacy Compliance?

Virtual CISOs and Community Banks—Perfect Together

What is Hedera Hashgraph and How Does It Solve Blockchain Privacy Issues?

Data Privacy Compliance in Higher Ed: Now is the Time

What is a TISAX Simplified Group Assessment and Who Can Use It?

CMMC Proposed Rule Changes: What’s Changing and How to Prepare

What is Kubescape and Why Should We (as Cloud-Native Developers) Care?

Container and Kubernetes Security: A Nontechnical Introduction

What is a Container and Why are They So Popular with Developers?

What is the New Jersey Data Privacy Law, and How Can We Streamline Compliance?

The EU AI Act: 9 Top Questions Answered

SOC 2 Reports – Which Trust Services Criteria Do You Need?

6 Key Takeaways from the 2023 SOC Benchmark Study

CMMC Proposed Rule: New Guidance on CMMC Level 3

The New CMMC Proposed Rule—Answers to Your Top 9 Questions

ISO 27001 Accreditation: Why It Matters for Cloud Service Providers

How to Measure the Value of Information Security

2 Principles to Revolutionize Security Awareness Training

What is Cyversity and How Can It Improve Diversity on My Cybersecurity Team?

How can we help you?

Services

Compliance

Insights

Pivot Point Security