Organizations seeking cyber insurance coverage are typically required by their insurer to provide evidence of a panoply of controls around information security, disaster recovery, and related risk and technology requirements and best practices.
When organizational data resides only on-premises, documenting, evaluating and maintaining these controls have their challenges but are fairly straightforward for the IT, security and business teams responsible for them. They may need to install certain types of locks on data center doors, add cameras for monitoring foot traffic, and implement specific protocols limiting who can access what information. Within highly regulated industries, insurance carriers’ requirements often track closely with regulatory compliance.
However, COVID-19 threw a monkey wrench into cybersecurity insurance and cyber risk management for many organizations. When a substantial proportion of the workforce began working remotely, the appropriate security control structure became less clear-cut. The challenge was exacerbated by the simultaneous increase in corporate use of Software as a Service (SaaS) solutions.
Today, perhaps the only thing more challenging than building an effective control structure is producing evidence that the structure is effectively protecting corporate applications, data and users.
Now, corporate cybersecurity managers need to focus on understanding how their controls should be structured post COVID, as well as how they can demonstrate those controls to internal and external auditors, as well as their insurers.
What exactly changed?
The pandemic inspired a migration of workforces around the world. Employees are still doing the same jobs they used to do in the office, but many are doing so from home or other remote locations.
It’s now much harder for traditional perimeter security methods to be effective in this hybrid environment. Even if the security team had the bandwidth to travel to each employee’s residence, installing security cameras and deadbolts on home office doors would not make sense. Nor is it feasible for a third-party auditor to travel to each disparate location to validate that the employee’s security environment is up to snuff.
Similar challenges certainly arose before COVID-19 existed. Some people traveled for their jobs, while others needed to occasionally take work home at night. Security teams required those types of remote workers to connect to the corporate network via a virtual