The Office of Personnel Management is trying to address what it says are concerns from some managers and supervisors who worry they may be held personally liable for disciplining federal employees deemed poor performers.
In response to those concerns, a Nov. 21 memo from OPM clarified that managers and supervisors are generally acting on behalf of an agency when they “manage employees’ job performance and address unacceptable performance.” There is an “extremely limited scope” where managers or supervisors would be held individually responsible for those actions, OPM said.
When a manager puts an employee on a performance improvement plan, demotes an employee or removes an employee from their job for poor performance, that’s technically considered the action of the agency, OPM said, and not the individual manager’s responsibility. If an employee challenges one of those actions, OPM said that the agency, not the manager, would be responsible for responding.
“In the unusual event that a manager or supervisor is sued personally for actions within the scope of their employment, the Department of Justice (DOJ) typically provides representation,” the memo reads.
But if a supervisor or manager misuses their authority — for example through discrimination, harassment or whistleblower-related prohibited personnel practices — OPM said the individual can then be held personally accountable for their actions.
In its memo, OPM also reminded supervisors and managers of the availability of professional liability insurance, which may help protect them in the rare cases where they may be held liable. Supervisors and managers are usually eligible for a government reimbursement amounting to up to half the cost of the insurance.
“But even in these situations Congress did not give employees the right to hold their managers or supervisors personally liable for any performance or conduct-related adverse action,” OPM said.
OPM’s clarification comes after the Trump administration earlier this year set new expectations for measuring federal employees’ job performance. In June, OPM told agencies they don’t have to use “progressive discipline” and that they should not substitute a suspension when a full removal of an employee from their job “would be appropriate.”
The administration’s new performance management standards also attempt to more strictly delineate between different levels of employee performance and encourage agencies to rate fewer employees as high performers.
OPM Director Scott Kupor has repeatedly argued that the government has inflated performance ratings, and has targeted the rating system as a key area for OPM to update.
“In the real world we are not all equally successful and differences in performance from one person to the next are in fact real,” Kupor wrote in a Sept. 15 blog post. “We simply can’t all get A’s because not everyone’s contributions to the success of the organization are the same. Some people simply perform better than others — whether by luck or skill.”
More recently, OPM also announced a new mandatory training program for all federal supervisors, intended to educate supervisors on how to better manage performance of federal employees. The one-hour online course will cover topics including recognition, awards, hiring, firing and discipline of federal employees, according to a memo OPM sent to agencies Wednesday.
“At the end of the training, supervisors will be ready to set clear expectations, deliver quality feedback, document fairly, reward excellence, and take timely action when needed—all while building an engaged, high-performing team through transparency, accountability, and collaboration,” the memo stated.
Federal supervisors are required to complete the training by Feb. 9, 2026, OPM said.
The required supervisor training comes shortly after OPM also launched two optional training programs, designed to educate senior executives in the federal workforce, while incorporating common themes from the Trump administration on “accountability,” performance management and adherence to the president’s priorities.
Human resources, corporate hierarchy concept and multilevel marketing - recruiter complete team represented by wooden cube by one leader person (CEO) and icon.
Major insurers including AIG, Great American, and WR Berkley are asking U.S. regulators for permission to exclude AI-related liabilities from corporate policies. One underwriter describes the AI models’ outputs to the FT as "too much of a black box."
Even though the American cannabis industry became a multi-billion-dollar industry years ago, a decent number of insurance companies are still hesitant to work with cannabis businesses. Whether it’s due to the federally prohibited status surrounding cannabis or certain internal policies among the larger insurance providers that dictate which risks will be insured, the process of finding a quality and reliable insurance provider for licensed cannabis businesses can be quite arduous.
Especially with the multimillion-dollar cultivation and manufacturing operation setups and subsequent wholesale transactions that are equally lucrative and costly, having dedicated and thorough insurance policies in place is now beyond necessity.
Luckily for those cannabis businesses, Guardians of Ganja is a top-tier insurance agency with a memorable name whose operations and robust policies are created and tailored specifically to the very necessary and precise requirements of those cannabis businesses.
“One of the best things about cannabis is its ability to free your mind from the constraints of life,” says Jason Ascheman, co-owner of the agency solely focused on the cannabis industry. “After some research, we found the industry was grossly underserved. Guardians of Ganja started with the desire to find something no one else was doing, something that was equally unique, challenging and something that we wholeheartedly believe in.”
The agency’s primary location of Billings, Montana, is certainly a preferable one from both a cannabis and agricultural standpoint. The state legalized adult-use cannabis back in 2020 (for a second time) and has had a vibrant adult-use market for well over 3 years, surpassing $1 billion in total sales at the end of 2024. Similarly, the state’s agricultural industry is nothing short of massive, being a major producer of cattle and several varieties of wheat.
Dalton Knutson, co-founder of Guardians of Ganja, meets with a client called White Pine, based in Helena, Mont.
A Specialty Cannabis Insurance Company
Prior to entering the insurance industry, Guardians of Ganja’s second co-owner, Dalton Knutson, held a variety of interesting and honorable positions, including everything from selling solar panels to bravely serving as a firefighter. Unfortunately, his diagnosis of Crohn’s Disease from his childhood worsened, and after major surgery, he had to resign from his role as a firefighter.
“But it was after this that my belief in cannabis became stronger, the more I experimented with different treatment methods,” Knutson says. “It became something I wholeheartedly believed in and supported.”
Knutson soon teamed up with Ascheman, who has over 8 years of experience in the insurance industry. While they both share a passion for the plant, Ascheman’s hands-on insurance experience combined with Knutson’s entrepreneurial and service-oriented nature gave them an edge. “We both realized the market was underserved,” Knutson explains, expressing how they truly have a desire to help cannabis-related companies protect what they have built.
With the clever tagline of “Covering Your Grass for a Greener Tomorrow”, the services offered by Guardians of Ganja include policies that have been uniquely designed for every different plant-touching sector of the cannabis industry, along with ancillary businesses—everything from cultivation to manufacturing to retail to vital testing labs, even Lessors Risk policies for landlords with cannabis exposures. From the intricacies and detailed coverage options provided by their policies, it’s clear that the team at Guardians of Ganja has several years of experience working directly in this nascent yet heavily regulated industry.
With liability coverages alone, so many common circumstances and situations that arise in compliant cannabis operations would be insured. A full spectrum of services is offered, from general liability to product liability and the very crucial professional liability.
Meeting with Nature’s Fix dispensary out of Billings, Mont.
What’s Covered by Guardians of Ganja
Some other very worthwhile sectors of successful cannabis operations covered through Guardian of Ganja’s policies are product deliveries of all varieties, as well as the transportation vehicles themselves. All types of deliveries, from individual home deliveries to large-scale deliveries, from cultivation facilities to dispensaries. Given how heavily monitored and documented every single cannabis delivery is via platforms like METRC by state regulators, regardless of size, the Guardians of Ganja team ensures that every element of the delivery process is diligently insured is of utmost importance.
Even crop insurance—a vital safeguard that protects farmers’ investments from unexpected disasters—is available through Guardians of Ganja. Every single stage in the cultivation process is covered, from vegetation and harvest to the pivotal drying and curing stages.
“We pride ourselves in creating personal connections and relationships with our clients to not only be their agent, but a trusted confidant and partner that has their best interest at heart,” Knutson says with pride.
As the American cannabis industry evolves and expands at a more rapid pace than just about any other industry, the experienced team at Guardians of Ganja is committed to staying up to date on all those constant changes.
“Along with this, we are continuously educating ourselves on the intricacies of the industry to ensure our recommendations are well-informed and knowledge-based. It’s our belief that putting the needs of the clients over anything else is always a win in the end,” Knutson explains. “To sum things up, GOG means so much more than just insurance. It’s real people with real experiences with cannabis that want to genuinely make a difference both personally and business-wise.”
When wildfires sweep through neighborhoods, insurance is often the last line of defense. But increasingly, that defense is disappearing. Recently, the insurance industry has responded to severe climate risks by withdrawing coverage from higher-risk areas.
The digital shift in the insurance sector is a giant transformation, and Conversational AI in Insurance represents the epicenter of the digital revolution. Modern-day policyholders demand access to prompt replies, tailored suggestions, and hassle-free service, which artificial intelligence is delivering.
Conversational AI is transforming the manner in which insurers engage and interact with customers due to its ability to streamline claims management, offer real-time support, and so on. With artificial intelligence solutions, Natural Language Processing, Machine Learning solutions, and Generative AI development, these systems are facilitating a new dawn of intelligent, customer-conscious insurance.
In this article, we will discuss conversational AI in insurance, its key advantages, applications in practice, technologies that enable it, and its impact on the future of the insurance industry.
What is Conversational AI in Insurance?
Conversational AI in insurance is the application of AI-driven chatbots, voice assistants, and virtual agents, which can replicate human-like conversations to assist customers and automate different insurance-related operations.
These systems can process human language using Natural Language Processing (NLP), learn using data & interactions using Machine Learning, and generate natural responses using Generative AI. Consequently, insurers are able to provide queries and claims, give policy advice, and offer 24/7 customer service all via smart, conversational interfaces.
Rather than depending on representatives who are only human, the insurance companies are today employing conversational AI as an online frontier which can manage thousands of interactions at once with accuracy and even compassion.
Why Conversational AI Matters in the Insurance Industry
The contemporary insurance client wants convenience, speed, and personalization. These expectations can no longer be provided in traditional call centers and manual claim handling. Conversational AI fills this disparity by providing:
Real-time replies to customer requests.
Workflow automation to manage policy faster.
Information-driven technologies to offer personal products.
Conversational AI offers transformative advantages across the insurance value chain. Let’s explore some of the most impactful benefits:
These benefits not only improve efficiency but also enhance brand perception and customer loyalty, key drivers in today’s competitive market.
How Conversational AI Works in Insurance
Conversational AI is based on Natural Language Processing (NLP), Machine Learning, and Generative AI development technologies that make it the backbone of the technology. They both facilitate smooth, smart interactions between humans and machines.
Here’s how the process works:
1. Understanding User Intent
NLP algorithms process customer messages to extract their intent, emotion, and context.
2. Data Retrieval
The AI uses CRM databases, policy databases, or cloud servers to retrieve the appropriate information and develop a response.
3. Response Generation
With the Generative AI services, the system would create a natural and coherent response, as a human agent would.
4. Continuous Learning
Machine Learning enables AI to be more efficient over time as it learns through past interaction and is thus more accurate.
This cycle allows insurers to provide a smooth, quick, and tailor-made service, even when they scale.
Top Use Cases of Conversational AI in Insurance
1. Status Updates and Claims Processing
Conversational AI automates the procedure of filing claims by collecting information, credentialing papers, and giving real-time updates. Through this, customers can easily check claim status or upload documents via chat, reducing delays and manual work.
2. Sales Support and Policy Recommendations
AI bots suggest personal insurance plans by means of analyzing customer profiles and past purchases with the help of Machine Learning solution. This renders cross-selling and up-selling much more effective.
3. Customer Onboarding
Conversational bots can also be used by new customers to learn about the policy, plan comparisons, and make registrations with ease. This would make the onboarding process smoother, and the customers’ drop-off rates would go down.
4. Fraud Detection and Risk Management
Chatbots that use AI can identify suspect behaviors when handling claims or transactions, which can enable the insurers to avoid fraud. Together with artificial intelligence solutions, it enhances compliance and data integrity.
5. Renewals and Reminder payments
Conversational agents also have the ability to issue timely notifications on policy renewals or premium payments and even help make payments directly on the chat interface.
6. Sentiment Analysis and Customer Feedback
Conversational AI is used by insurers to analyze customer sentiment based on the interaction and determine the level of satisfaction and gaps in the services to fix their products.
Core Technologies Behind Conversational AI
1. Natural Language Processing (NLP)
NLP also allows machines to understand and react to human language in the right way. In insurance, it assists in comprehending the queries of the customer, recognizing feelings, and creating responses that are context sensitive.
2. Machine Learning (ML)
Machine learning enables the conversational systems to be flexible and improve with experience. It uses past discussions, customer preference, and feedback in order to provide better responses.
3. Generative AI Development
Generative AI increases the interaction levels of chatbots since they are capable of generating interactions that are human-like and natural. It is capable of summarizing policy information, emulating discussions, and training support teams.
That combination of technologies renders the Conversational AI in insurance not only reactive but also predictive — able to fill out the customer’s needs even before they are articulated.
Challenges in Implementing Conversational AI in Insurance
Although Conversational AI has incredible opportunities, it is accompanied by such challenges that insurers have to cope with:
Data Privacy and Security: To work with sensitive personal information, it is necessary to have a high level of encryption and adhere to GDPR and other regulations.
Complexity of integration: Due to the nature of the business, most insurance companies have legacy systems which cannot be easily integrated with the current AI tools.
Human-AI Balance: Over-automation may cause personal touch lose, but it is necessary to find the optimal balance.
Constant Model Training: AI models require constant updates and real-life data to be accurate and reliable.
With the help of professional Insurance Software Developmentproviders, insurers are able to resolve these issues and implement everything without any difficulties.
Future Outlook of Conversational AI in Insurance
Conversational AI in insurance has a bright future. With the advancement of AI, insurers will shift towards intelligent ecosystems that are fully automated and have digital assistants oversee all the customer journey elements.
These are some of the trends that are determining the future:
Emotionally Intelligent AI: Tone, stress, and sentiments will be identified in order to offer more understanding help.
Predictive Assistance: AI will take the initiative to provide policy suggestions or reminders to the customer even before they request.
Voice-Driven Insurance Services: Voice recognition will significantly contribute to hands-free claims and support.
Hyper-Personalized Customer Experiences: With the development of Generative AI engine, insurers will customize each and every communication based on individual behavior of the customer and phase of life.
How to Get Started with Conversational AI
To insurance companies willing to implement Conversational AI, a basic roadmap would be the following:
1. Identify Pain Points: Determine relevant areas in which automation can be used to improve customer service or cost reduction.
2. Choose the Right AI Partner: Find a reliable partner in the development of insurance software who is skilled in artificial intelligence applications.
3. Integrate with Existing Integrations: Make sure that they connect smoothly with CRM, ERP and policy management systems.
4. Train Your AI Models: Feed historical interaction data to achieve more accurate prediction.
5. Keep Things Simple and Secure: You will find AI solutions that are more user-data-oriented.
Concluding Thoughts
The use of Conversational AI in insurance is transforming the customer experience for insurers, making interactions faster, smarter, and more human. With the help of Natural Language Processing, Machine Learning solutions, and Generative AI development, insurers will cease to rely on simple automation and start meaningful data-driven conversations.
The future of insurance is in intelligent, personalized, and proactive communication as technological advances keep being made. The people who adopt artificial intelligence solutions today will be tomorrow’s leaders in the digital insurance world.
In recent years, hundreds of thousands of Californians have purchased home insurance from a state-managed “last resort” insurance pool that has grown rapidly as private insurance companies have fled the market.
Now, in the wake of the devastating Los Angeles wildfires earlier this year, the Fair Access to Insurance Requirements (FAIR) Plan is seeking approval from the state for an average 36% rate hike, which would further squeeze homeowners who have no other options for coverage.
The financial sector is a leading target for cyber criminals and cyber criminal attacks. Markedly improving the sector’s cyber security and resilience capabilities are a must. While the sector does have a comparatively high level of cyber security maturity, security gaps invariably persist and threaten to subvert systems.
As Check Point CISO Pete Nicoletti has noted, attackers only need to get it right once in order to catalyze strongly negative, systemic consequences that could send shockwaves throughout companies and lives across the globe.
In this article, discover financial sector trends, challenges and recommendations that can transform how you see and respond to the current cyber threat landscape.
Industry trends
According to a newly emergent report, 65% of financial services sector organizations have endured cyber attacks.
The median ransom demand is $2 million. Mean recovery costs have soared to roughly $2.6 million – up from $2.2 million in 2023.
The size of extreme losses has quadrupled since 2017, to $2.5 billion.
The potential for losses is substantial, especially when multiplied in order to account for downstream effects.
Industry challenges
The majority of financial leaders lack confidence in their organization’s cyber security capabilities, according to the latest research.
Eighty-percent of financial service firm leaders say that they’re unable to lead future planning efforts effectively due to concerns regarding their organization’s abilities to thwart a cyber attack.
There is a significant gap between where financial sector institutions want to be with cyber security and where the industry is right now.
Preparing for disruption
Beyond cyber security, financial sector groups need to concern themselves with business continuity in the event of disruption — which is perhaps more likely than not.
“While cyber incidents will occur, the financial sector needs the capacity to deliver critical business services during these disruptions,” writes the International Monetary Fund.
A major disruption – the financial sector equivalent of the Colonial Pipeline attack – could disable infrastructure, erode confidence in the financial system, or lead to bank runs and market selloffs.
To put the idea into sharper relief, in December of 2023, the Central Bank of Lesotho experienced outages after a cyber attack. While the public did not suffer financial losses, the national payment system could not honor inter-bank transactions for some time.
Industry recommendations
Organizations need innovative approaches to cyber security — approaches that prevent the latest and most sophisticated threats. Approaches that fend off disaster from a distance.
In 2023, nearly 30 different malware families targeted 1,800 banking applications across 61 different nations.
At Check Point, our AI-powered, cloud-delivered cyber security architecture addresses everything — networks, endpoints, cloud environments and mobile devices via a unified approach.
We’ve helped thousands of organizations, like yours, mitigate risks and expand business resilience. Learn more here.
For additional financial services insights, please see CyberTalk.org’s past coverage. Lastly, to receive cyber security thought leadership articles, groundbreaking research and emerging threat analyses each week, subscribe to the CyberTalk.org newsletter.
Cyber insurance is a type of policy that covers loss and damage caused by cyber-attacks
or related types of incidents such as infrastructure failure or service
outages. Most cyber insurance policies are for businesses, as they face much
greater risk and potential loss from a cyber-attack than private individuals.
Cyber
insurance is critical for any enterprise, especially those that deal with
exclusive or touchy information.
With the boom
of the internet inside the past 10 years, cyber dangers like social engineering
attacks, statistics breaches and cyber extortion (i.e., ransomware) have
additionally grown exponentially. Due to this, many coverage companies now
offer committed cyber insurance guidelines.
Whether or
not it’s cyber criminals gaining sensitive facts, a community security failure
or a statistics breach, probabilities are your business insurance don't cover
your losses. In case you’re concerned for a cyber incident, you’ll need to
start searching round for a cyber coverage quote.
Cyber
insurance covers things like liability attributable to data breaches, community
interruption and media legal responsibility. Cyber risk to business is much
higher than personal risk.
Cyber
insurance pricing varies wildly depending on what you need to include, the
dimensions of your deductibles and how large your business is. These elements
can change the rate from some hundred dollars per year to lots.
Given the relativity
of cyber coverage markets, there’s a terrific degree of variability in both
what’s blanketed and policy value. This makes it hard to generalize the entire
discipline, but we’ll talk what a cyber insurance coverage normally covers, as
well as what you might expect to pay for it.
Cyber
insurance coverage
Cyber
insurance generally provides protection against four distinct types of risk: privacy,
security, operational and service risk. These risks represent the
biggest cyber threats to business and are typically covered by four
different types of insurance policies within a cyber policy mentioned
below.
ØNetwork Security and Privacy
Responsibility
Network
Security and Privacy covers the most obvious risks and dangers posed by cyber-attacks.
On the security front, cyber policies will generally cover forensic efforts to
identify the attack path, legal expenses related to the attack, ransomware
payments, data recovery, consumer outreach and public relations costs.
Conversely,
privacy responsibility applies to you if your business maintains confidential
or private data that is governed by regulation or contract. For example, if
your business has a lot of customer personal records that were stolen in a cyber-attack,
privacy liability insurance will cover you if the people whose records were
stolen seek compensation.
ØNetwork business interruption
For many
businesses, a server outage can mean a catastrophic amount of lost revenue. For
this reason, cyber insurance will cover lost profit for the duration of a
network interruption that occurs as a result of a cyber-attack or system
failure.
ØMedia responsibility
If your
intellectual property is stolen as a result of your media presence, be it
advertising or something else, then cyber insurance can help with that. The
policy generally doesn't cover lost profit as a result, but it does cover
things like legal fees associated with enforcing your intellectual property.
ØErrors and omissions
In the event
of a cyber-attack or system failure, there is a good chance that your business
will be unable to continue providing its services, at least temporarily. If
this happens, cyber insurance will generally cover any liability you face from
customers.
What does
cyber insurance not cover?
Now that
we've covered what cyber insurance will generally cover, let's take a quick
look at what is typically not covered.
ØFuture lost profit
The first is
any future lost profits that arise as a result of a cyber security incident.
Whether it's the result of user exodus due to a significant data breach, data
loss, or anything else, cyber insurance generally won't cover lost revenue that
isn't a direct and immediate result of a cyber-attack or incident.
ØLosses from theft of intellectual
property
Next in line
are losses related to intellectual property theft. For example, if someone
steals your IP (Intellectual property) and uses it to create a product that
competes with yours, those lost profits won't be covered by your insurance.
ØProactive cyber security measures
Finally,
cyber insurance generally does not include coverage for any proactive
cybersecurity measures, such as upgrading infrastructure or software or
improving security procedures.
What does
cyber insurance cost?
The cost of
cyber insurance will vary greatly depending on the size of your company, the
insurance provider you go with, and what you want your policy to cover. Because
of this, it's hard to predict exactly how much an individual policy will cost,
but we can look at some averages.
Cyber
insurance for individuals generally costs $25 to $100 per month. However,
most private individuals do not need cyber insurance, as regular theft or home
owner insurance will often cover the aspects most useful to personal users.
Businesses,
on the other hand, can expect to pay $500 to $5,000 per year for cyber
insurance. As mentioned, there are many factors that determine where you end up
in this price range, and the biggest companies are likely to pay much more than
this.
Should You
Get Cyber Insurance?
Unless you're
handling some very sensitive data or have a specific reason to believe you're
at risk of an attack, you probably don't need cyber insurance as a private
individual.
If you're
concerned about the consequences of potential cyber-attacks or data breaches
affecting you, finding a home or theft insurance package that includes some
coverage for these types of events may be a better option.
However, for
many businesses, cyber insurance is an absolute necessity. Cyber security
statistics show that attacks and security breaches have been on the rise in
recent years, with cyber-attacks routinely targeting businesses large and
small.
This can take
the form of ransomware, where your systems and infrastructure are shut down
until you pay the hackers a fee, or a more traditional hack aimed at breaching
data security or stealing confidential information.
With a 600%
increase in cybercrime since the start of the COVID-19 pandemic, it is clear
that this has become such a common problem that it should be considered
alongside other "analog" threats such as burglaries, fires and the
like.
That's it for
our guide to the cyber insurance space.
We hope we
have given you a better understanding of what cyber incidents are covered by
cyber risk insurance as opposed to traditional insurance policies.
Most, if not
all, modern businesses should consider finding cyber insurance providers and
getting a cyber liability insurance quote. The cyber insurance market is still
relatively young and not every insurance company offers cyber insurance.
What do you
think of our guide to cyber insurance?
Do you feel
like you understand how cyber policies work and what cyber threats are
generally covered? Do you have cyber insurance? If so, has it helped protect
your business from various cyber exposures? Let us know in the comments section.
Keely Wilkins is an Evangelist with the Office of the CTO as well as a Pre-Sales Security Engineer in Virginia. She has worked in the technology industry for nearly thirty years, holds an MS of Cybersecurity and a variety of certifications. Keely is currently studying toward a Master of Legal Studies specializing in Cybersecurity Law and Policy. She endeavors to find balance among transparency, predictability, and security.
In this article, Keely discusses recent changes in the cyber insurance market and how adopting a prevention-first security strategy may give you stronger footing in negotiating insurance rates and coverage. This article is part three of a three part series. Be sure to read part one, and part two.
What changes are happening within the cyber insurance market?
The items that have caught my attention include insurers declaring cyber to be uninsurable, their leaders advocating for technical training for brokers, stricter controls on cyber policies, and the issuance of a catastrophe bond for cyber risk. It has been a stressful time for cyber insurers, but they are turning a corner.
The insurance industry is not quick to change course. Its response to everything is calculated as it is meant to provide a measure of financial stability during brief periods of instability. Cyber risk is unlike other risk types; it must be managed differently. I am excited about the changes taking place in the cyber insurance market and the acknowledgement that security is the appropriate instrument to alleviate cyber risk.
“Today’s insurers have a role that goes beyond pure risk transfer, helping clients adapt to the changing risk landscape and raising their protection levels. The net result should be fewer – or less significant – cyber events for companies and fewer claims for insurers.” – Allianz Risk Barometer Report 2023
What does it mean to rebalance cyber risk in favor of security?
In simple terms, it means committing to reduce cyber risk with security before transferring the risk to insurance. I have started calling it “secure before you insure”.
There is a graphic in the WEF report: Global Cybersecurity Outlook 2023 that offers insight into the gap between investing in security vs. insurance. The question posed is “Has your organization submitted a claim using your cyber insurance policy in the past two years?”. For organizations with 1,000-100,000 employees, nearly 60% had successfully filed a claim. “Successfully” means the insurance company paid the claim. This likely resulted in stricter controls being mandated moving forward. Approximately 20% of respondents declined to answer.
If those organizations shifted their focus to a prevention-first security strategy, they would suffer fewer breaches and file fewer claims.
How can an organization start the process of reducing their cyber risk?
A security workshop (gap analysis) is the first step. The objective of this analysis is to ensure that the appropriate security controls are deployed, the code is current, the systems are patched, and the configurations are correct. This level of assessment also helps leadership identify opportunities for cost savings that will not hinder the effectiveness of the security posture. One example of this is the consolidation of vendors. Not only does it limit the number of contracts to be managed, the disparate training needed for the security team, and the time lost in trying to manage multiple dashboards, it may also save $290K per breach. In the IBM Cost of a Data Breach Report 2022, it was stated that having a complex security environment adds $290K in costs per breach.
The gap analysis report should provide a prioritized list of changes to be made. That list typically includes patch management, code upgrades, configuration corrections, micro-segmentation, identity management, and graduates into larger requirements that take time and budget to rectify.
Once the gap analysis is digested, an action plan should be developed to put time, budget, and resources to each item to be addressed.
This process should be repeated annually to measure progress and assess evolving needs.
Does reducing cyber risk help lower insurance premiums?
I am not an insurance broker, so I cannot answer that definitively. Logically, if the insurance company is covering a lower level of risk because of the commitment to strengthen the security posture via preventative methods, I expect the cost would be lower. #secureB4Uinsure
The world of 2022 has advanced far beyond the wildest dreams of the previous century, but the one thing that has not changed is the threat of a cyber attack. Despite the best efforts of corporate security teams, hackers and other malicious actors are still able to breach the digital defenses of many companies.
For those companies without cyber insurance, their worst fears are brought to life. The costs of restoring lost data, notifying customers and other affected parties, and dealing with legal issues are astronomical. In some cases, companies are forced to shut down entirely due to the financial burden of a cyber attack.
It is a harsh reality, but one that is all too common in this brave new world. Companies without cyber insurance are left to suffer the consequences of their vulnerabilities, a reminder to all of the importance of safeguarding against cyber threats.
It is a small but important step in the fight against cyber crime, and one that is becoming increasingly important to companies of all sizes. For some, it is the only thing standing between them and financial ruin.
The concept of cyber insurance to protect your data is relatively new and has grown in popularity due to the increasing number of cyber threats businesses face. Cyber insurance is not only for large corporations; smaller businesses with more limited resources can also benefit from having it.
The process of identifying and evaluating risks for assets that could be affected by cyberattacks is known as cybersecurity risk assessment. In essence, you identify threats from both within and without; examine how they might affect things like the integrity, confidentiality, and availability of data; and figure out how much it would cost to suffer a cybersecurity incident. Using this data, you can fine-tune your cybersecurity and data protection measures to your company's actual risk tolerance.
You must respond to three crucial
questions in order to begin an IT security risk assessment:
1.What are
the data that, in the event of loss or exposure, would have a significant
impact on your company's operations? These are your organization's critical
information technology assets.
2.What
essential business procedures call for or make use of this data?
3.What
threats might make it harder for those business functions to function?
You are able to begin design
strategies once you are aware of what you need to safeguard. But before you
spend a penny or an hour of your time implementing a risk-reduction strategy,
think about the type of risk you're dealing with, how important it is to you,
and whether your approach is the most cost-effective.
The significance of conducting
comprehensive IT security assessments on a regular basis developing a solid
foundation for business success is aided by conducting comprehensive IT
security assessments on a regular basis.
In particular, it gives them the ability
to:
Assess potential security partners, Evaluate
potential security partners, Establish, maintain, and demonstrate compliance
with regulations Accurately forecast future needs.
Explanation of cyber risk (IT risk)
definition
According to the Institute of Risk
Management, a cyber risk is “any risk of financial loss, disruption, or
damage to the reputation of an organization from some sort of failure of its
information technology systems.”
Prevent data breaches, choose
appropriate protocols and controls to mitigate risks.
Cybersecurity risks include:
When taking stock of cyber risks, it
is essential to detail the specific financial damage they could cause to the
organization, such as legal fees, operational downtime and related profit loss,
and lost business due to customer distrust. Hardware damage and subsequent data
loss Malware and viruses Compromised credentials Company website failure.
The four essential components of an IT
risk assessment
In a moment, we'll talk about how to
evaluate each one, but first, a brief definition for each:
Threat: Anything
that has the potential to harm an organization's people or assets is a threat.
Natural disasters, website failures, and corporate espionage are examples.
A vulnerability is any potential flaw
that would permit a threat to cause harm. A vulnerability that can make it
possible for a malware attack to succeed, for instance, is out-of-date antivirus
software. A vulnerability that increases the likelihood of equipment damage and
downtime in the event of a hurricane or flood is a server room in the basement.
Disgruntled employees and outdated hardware are two additional examples of
vulnerabilities. A list of specific, code-based vulnerabilities is kept up to
date in the NIST National Vulnerability Database.
The total damage an organization would
suffer if a vulnerability were exploited by a threat is referred to as the
impact. A successful ransomware attack, for instance, could result in not only
lost productivity and costs associated with data recovery but also the
disclosure of customer data or trade secrets, which could result in lost
business as well as legal costs and penalties for compliance.
Probability — This is
the likelihood that a danger will happen. Usually, it's a range rather than a
single number.
Risk = Threat x Vulnerability x
Asset. The following equation can be used to understand risk: Despite
the fact that risk is represented here as a mathematical formula, it is not
about numbers; It is a well-thought-out plan. Take, for instance, the scenario
in which you want to determine the level of danger posed by the possibility of
a system being hacked. Your risk is high if the asset is crucial and your
network is extremely vulnerable (perhaps due to the absence of an antivirus
solution and firewall). However, even though the asset is still critical, your
risk will be medium if you have strong perimeter defences and a low
vulnerability.
There is more to this than just a
mathematical formula; It is a model for comprehending the connections among the
factors that contribute to determining risk:
Threat is an abbreviation for
"threat frequency," which is the anticipated frequency of an adverse
event. One in one million people will, for instance, be struck by lightning in
any given year.
The term "the likelihood that a weakness
or exposure will be exploited and a threat will succeed against an
organization's defences" is abbreviated as "vulnerability."
What is the organization's security
environment like? If a breach does occur, how quickly can it be mitigated to
avoid disaster? How likely is it that any given employee will pose an internal
threat to security control, and how many of them are there?
A security incident's total financial
impact is measured by its cost. Hard costs like hardware damage and soft costs
like lost business and consumer confidence are included. Other expenses
include:
Data loss: The
theft of trade secrets could result in your competitors taking your business.
Loss of trust and customer attrition could result from the theft of customer
information.
System or application downtime:
Customers may be unable to place orders, employees may be unable to perform
their duties or communicate, and so on if a system fails to perform its primary
function.
Legal repercussions: If someone steals
data from one of your databases, even if the data isn't particularly valuable,
you could be hit with fines and other legal fees because you didn't follow
HIPAA, PCI DSS, or other data security regulations.
How to conduct a security risk
assessment Now, let's go over how to conduct an IT risk assessment.
1.Identify
and prioritize assets- Servers, client contact information,
confidential documents from partners, trade secrets, and so on are all examples
of assets. Keep in mind that what you consider valuable as a technician
may not actually be the most valuable for the company. As a result, you
must collaborate with management and business users to compile a list of all
valuable assets. Collect, if necessary, the following data for each asset:
·Software
·Hardware
·Data
·Interfaces
·Users
·Support Personnel
·Mission or Purpose
·Criticality
·Functional requirements
·IT security policies
·IT security architecture
·Network topology
·Information storage protection
·Information flow
·Technical security controls
·Physical security environment
·Environmental security
Since most businesses only have a
small budget for risk assessment, you will probably only need to cover
mission-critical assets for the remaining steps. As a result, you must
establish a standard for assessing each asset's significance. The asset's
monetary value, legal status, and significance to the organization are common
criteria. Use the standard to classify each asset as critical, major, or minor
after it has been approved by management and formally incorporated into the
risk assessment security policy.
2.Identify
Threats- Anything that has the potential to harm your business is a
threat. While malware and hackers are probably the first to come to mind, there
are many other kinds of threats as well.
Natural catastrophes. Fire,
earthquakes, floods, hurricanes, and other natural disasters have the potential
to destroy not only data but also servers and appliances. Consider the
likelihood of various natural disasters when choosing a location for your
servers. For instance, there might be a low chance of tornadoes but a high risk
of flooding in your area.
Absence of hardware. The quality and
age of the server or other machine determine the likelihood of hardware
failure. The likelihood of failure is low for equipment of high quality that is
relatively new. However, the likelihood of failure is significantly increased
if the equipment is old or comes from a "no-name" vendor. No matter
what industry you operate in, you should put this threat on your watch list. It
is possible for people to accidentally delete important files, click on a
malicious link in an email, or spill coffee on critical systems-hosting
equipment.
There are three types of wrongdoing:
When someone damages your business by
physically stealing a computer or server, engineering a distributed denial of
service (DDOS) attack against your website, or deleting data, they are
committing interference.
Your data is stolen through
interception.
Impersonation is the misuse of another
person's credentials, which are typically obtained through social engineering,
brute force, or the dark web.
3.Identify
Vulnerabilities- A weakness that could allow a threat to harm your business is
a vulnerability. Analysis, audit reports, the NIST vulnerability database,
vendor data, information security test and evaluation (ST&E) procedures,
penetration testing, and automated vulnerability scanning tools are all methods
by which vulnerabilities can be identified.
Don't confine your thinking to
software flaws; Additionally, there are human and physical vulnerabilities.
Having your server room in the basement, for instance, increases your
vulnerability to flooding, and not informing employees about the dangers of
clicking on links in emails increases your vulnerability to malware.
4.Controls- To reduce
or eliminate the likelihood that a threat will exploit a vulnerability, analyse
the controls that are either in place or in the planning stage. Encryption,
methods for detecting intrusions, and solutions for identification and
authentication are all examples of technical controls. Security policies,
administrative actions, and physical and environmental mechanisms are examples
of nontechnical controls.
Nontechnical and technical controls
can be further divided into preventive and detective categories. Preventive
controls, as the name suggests, attempt to anticipate and avert attacks;
Devices for authentication and encryption are two examples. Detective controls
are used to find threats that have already happened or are about to happen;
They include intrusion detection systems and audit trails.
5.Determine the Likelihood of an Incident- Consider
the type of vulnerability, the capability and motivation of the threat source,
and the effectiveness of your controls to determine the likelihood that a
vulnerability will actually be exploited. When determining the likelihood of an
attack or other adverse event, many organizations use the categories high,
medium, and low rather than a numerical score.
The asset's mission and any processes
that are dependent on it; the asset's value to the organization; and the
asset's sensitivity. A business impact analysis (BIA) or mission impact
analysis report can provide this information. The impact of harm to the
organization's information assets, such as loss of confidentiality, integrity,
and availability, is quantified or qualitatively assessed in this document. The
impact on the system can be graded as high, medium, or low qualitatively.
6.Determine the Level of Risk to the IT
System for Each Threat/Vulnerability Pair Prioritize the Information Security
Risks
The risk-level matrix is a useful tool
for estimating risk in this manner. The likelihood that the threat will exploit
the vulnerability. The approximate cost of each of these occurrences. The
suitability of the planned or existing information system security controls for
eliminating or reducing the risk. A probability of 1.0 indicates that the
threat will be met; A value of 0.5 is assigned to a medium likelihood; and a
0.1 rating for a low likelihood of occurrence. In a similar vein, the values
for a high impact level are 100, a medium impact level is 50, and a low impact
level is 10. Risks are categorized as high, medium, or low based on the result
of multiplying the threat likelihood value by the impact value.
7.Recommend Controls - Determine the
necessary steps to reduce the risk using the risk level as a foundation. For
each level of risk, the following are some general guidelines:
High: As soon as possible, a plan for
corrective action should be created.
Medium:Within a reasonable amount of
time, a plan for corrective measures should be developed.
Low: The group must decide whether to
take the risk or do something about it.
Be sure to take into account the
following when evaluating controls to reduce each risk:
Policies of the organizationCost-benefit analysis Operational impact Feasibility Regulatory requirements in
effect.
The recommended controls' overall effectiveness, Safety and reliability of the Document ,the Results ,The development of a risk assessment report is the final
step in the risk assessment process.
This report will help management make good
decisions about the budget, policies, procedures, and other things. The report
ought to provide a description of the vulnerabilities that correspond to each
threat, the assets that are in danger, the impact on your IT infrastructure,
the likelihood of occurrence, and the control recommendations.
Report on the IT risk assessment- The
risk assessment report can point to important steps that can be taken to reduce
multiple risks. For instance, taking regular backups and storing them off-site
will reduce the likelihood of flooding and accidental file deletion. The
associated costs and business justifications for making the investment should
be explained in detail at each step.
Always keep in mind that the core of
cybersecurity are the enterprise risk management and information security risk
assessment processes. The information security management strategy as a whole
is built on these processes, which answer questions about which threats and vulnerabilities
can cost the company money and how to reduce them.
Login
