The process of purchasing cyber insurance is somewhat similar to purchasing life insurance. An applicant first completes an application from which the carrier can determine past and present hygiene and determine statistically the potential for future habits. The life insurer may then require a risk assessment of health by means of a blood test and EKG.
The process of purchasing cyber insurance involves the completion of an application that attempts to understand the applicant’s current level of cyber health, and whether a company is cyber risk resilient and its potential to adapt to, and avoid future risk (good health habits). Some carriers then provide the applicant with a free cyber risk assessment - like a blood test and EKG.
The cyber risk assessment is a process where the carriers evaluate the applicant's public facing digital assets. These include the hardware and software used to run things like the applicant’s website and email.
Every time you visit a website, your computer performs a digital handshake with the web server of the page you are viewing. The computers on both sides need to determine the language being used and translate appropriately so what you view isn’t gibberish. A cyber risk assessment is doing the same thing - a digital handshake that identifies the hardware and software being used by a company. But the assessor determines if the hardware is obsolete, the software unpatched, and if any known vulnerabilities exist.
Hardware and software is evaluated and benchmarked against similar companies. Any known vulnerability is identified and a link is provided to learn more about the deficiency and corrective solutions. The report often provides actionable recommendations that the applicant can administer themselves with little or no money to implement.
Is this a complete cyber security solution? Of course not. These evaluations don’t get behind a firewall. Sophisticated cyber security solutions work behind the firewall to protect sensitive data and report on intrusions. But for small businesses without an internal cyber security team the carrier evaluations are an important first step.