Yesterday, I spoke about cybersecurity at the Community Transport Organisation’s annual conference in Sydney.
When I asked the audience if their organisation had cybersecurity insurance, about 60% answered yes.
However, when we worked through the questions on a cybersecurity insurance application form, most of the executives in the room struggled to answer the questions.
Instead, they admitted that their Managed Service Provider (MSP) likely filled in the form for them.
At the same time, a mortgage broker in the room said that your insurance premium is based on how you answer those questions – providing an even greater incentive to check “Yes” to everything.
What are the risks if your cybersecurity insurance application isn’t correct?
While it makes complete sense that a Not for Profit would have their MSP complete the first draft of the cybersecurity insurance application, there are some risks, like:
- How does the board or executives really know if they answered it correctly?
- And what if the organisation’s security posture has changed since the form was originally filled out?
The answers to these questions are really important because they can impact whether or not your cybersecurity insurance claim is actually approved should a breach occur.
How to feel more confident about your security posture
If you’re really not sure if the information submitted was correct and accurate today, it’s time to ask a lot more questions.
A good place to start is to ask for an Essential Eight audit to be completed. If you don’t trust your current provider, you can ask another MSP to do so. Your initial goal should be for a Level 1 Maturity Level.
I’ve seen Not for Profits that have self-assessed themselves at Level 3 but were later assessed by an external provider as Level 0. So, sometimes, an alternative perspective can be quite useful.
There will be gaps in that assessment, such as the security around your website(s), but it’s a really good place to start mitigating cybersecurity risks in general.
Final Thoughts
Your organisation may be paying thousands of dollars annually for cybersecurity insurance, but it can be a complete waste if your claim is denied later because your security posture is different than that stated on your application form.
Ensuring that it’s correct and your defence measures are as strong as financially feasible not only reduces the likelihood of your claim being denied but the chances of a breach in the first place.
So, if in doubt, ask more questions.
I regularly help Not for Profits with IT cybersecurity risk mitigations and investment decisions. Let me know if you need some help.
P.S. If you found this article helpful, you might want to read these too:
- Why cybersecurity is making it riskier to be NFP Executives & Directors
- 3 Reasons Why Board Directors Should Do End-User Cybersecurity Training
- How your system administrators are causing cybersecurity risks
Coming Soon!
Cybercrimes are constantly evolving. Roundbox Consulting will soon release a new annual online cybersecurity training program, specifically designed to help Not for Profits with the latest knowledge to mitigate these risks. Let me know if you want to know more.
Tammy Ven Dange is a former charity CEO, Association President, Not for Profit Board Member and IT Executive. Today, she helps NFPs with strategic IT decisions, especially around investments.