Sharing Vulnerabilities of Your Organization
Under what conditions would you, should you, accept the risk of sharing vulnerabilities about your organization’s cybersecurity posture? How about sharing with business partners, Insurers, colleges, associations, NIST, DHS, even internally? Does your organization have a policy addressing this? How do you make your people aware of it if you do?
As the NFPPC engaged extensively with the insurance industry, we focused on the opportunity for the them to help protect small organizations against threats of data breaches while helping them with sustainability if a breach happens. Other findings are addressed in a more complete report. This writing focuses on sharing data during the application process.
During our study we identified what we think is a problem:
Imagine you are a small business applying for cyber insurance. You perform due diligence and contact two insurance agents. Most ask you to fill in a questionnaire of 64 or more questions to determine risk.
What happens to the information given to the agent? Have you limited their permission to share it? Do you really want to provide this? As a small business, do you have the resources to provide this accurately? In our study, the small business responded to two such requests with 60 pages of information and one request which only asked four simple questions by an insurance company willing to use their own actuary’s. The later request seems safer to us.
If 10% of small businesses in the US gave away this information while applying for cyber insurance, to an average of two insurers, there would be over five million such records someplace. How is this information being protected?
As we were writing this we received an unsolicited questionnaire which promises us a $25 Starbucks card if we fill it in. The company looks legit. They will give you another $25 if you call them and talk to them. What if three of us filled it out in our organization?
There is a plethora of surveys being pushed to us on a regular basis to gather data regarding the vulnerabilities of organizations by sector, size, criticality, supply chain etc.
We asked two high-level government and collegiate people who were responsible for a similar survey why they didn’t ask the people participating in the survey if they had a policy concerning this and permission to do so. Their response: “It isn’t our responsibility, we are just trying to find hard to get data and besides, we keep it secure.”
Think about this for a moment. Our Forum disagrees, we believe it is the government’s primary job to protect us and everyone asking for this level of information should consider this for future surveys.
How many people responding to requests ask themselves the same thing? How many put themselves in a position of putting their organization at risk and violate corporate policy? We see this as an opportunity for awareness.
We are interested in your experiences and guidance.