Lawrence Cruciana, CISSP, CISM, CISA, CMMC-RPA the Founder and President of CorpInfoTech will be a panelist at the 2023 MS-ISAC annual meeting. Cruciana will be a panelist along with Michael Peterson, State of Virginia Insurance Regulator and Mark Camillo, CEO CyberAcuvie. The topic of discussion will be the convergence of cyberinsurance, quantitative risk management, and the risk ecosystem of State, Local, Tribal, and Territorial (SLTT) government organizations.
Curtis Dukes.Executive Vice President & General Manager, Senior Government Leader, Center for Internet Security (CISA) will make the opening remark:
As cyber insurance claims increase at an exponential rate the need to more accurately quantify the risk landscape is more critical now than ever before. Risks will remain, even after all ofthe policies, procedures, and security controls are applied across an organization. These residual risks are most often transferred to a cyber insurer to ensure the organization’s operating viability within its risk capacity. In recent years, the explosion of cyber claims and undiscovered residual risk has resulted in skyrocketing cyber insurance premiums, a patchwork of claims experiences, and increasingly robust underwriting requirements.
In response to this dynamic situation, MS-ISAC brought together three of the Nation’s top experts in the area of cyber insurance and quantitative SLTT ecosystem risk analysis. Together, this group of experts addresses the most pressing questions that SLTT executives face today in the topics of cyber insurance and risk management.
Cruciana will speak on Cyber Risk and Defense, when to transfer risk and why, answering the questions: From what your company sees as a managed security service provider, do you think organizations are doing a better job at defending their IT systems or are we roughly running in place? and what role do you think the cyber insurance industry should play in improving cyber defense? He will also discuss Controls and Resources, deploying wisely, answering the questions: Where are the risks that you see today, what controls are used to mitigate said risks? and what controls do you think should be mandatory across sectors to tame systemic risk?
Below is a summary of the talk from MS-ISAC Annual Meeting:
The nature of the insurance industry is an ability to accurately predict and monetarily quantify the damages and consequences of various disasters and workplace incidents'. Through comprehensive analysis of data sets and scenario based inputs, insurers are able to predict the likelihood of an event as well as the resources needed to remediate and recover from said disaster. However, one of the biggest problems the insurance industry has run into over the past several years is that of cyber risk.
Unfortunately, risk will always exist within an organization no matter how many security controls or protocols are implemented into a businesses cybersecurity policy. Due to this consistent threat landscape, cyber claims, premiums, and underwriting requirements have skyrocketed. Several insurance and cyber security experts gathered at MS-ISAC to outline what SLTT executives face and how their threat landscape ties into their insurance policies.
MS-ISAC identified a 74% year over year increase in ransomware activity against SLTT organizations between Q1-Q2 2022 and Q1-Q2 2023. Alongside this rise in ransomware attacks, insurers have also seen a significant increase in loss activity causing insurers to develop standalone cyber policies rather than packaging cyber liability in other insurance coverages.
Due to this change, the professionals of MS-ISAC recommend the following for organization investing in cyber insurance:
Ensure an experienced insurance broker is involved, one that is specialized in cyber security coverage in their unique industry
Objectively quantify the organization’s risk capacity (how much can you stand to lose), risk tolerance (what are the thresholds of loss that are unacceptable), and risk appetite (how much residual risk and in what areas is acceptable).
Engage a cyber-specialized attorney to review the organization's internal policies, procedures, and insurance contracts.
Align internal cybersecurity controls to an established cybersecurity framework and regularly report the organization’s security posture in terms of this framework.
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.