Over the past year, we have heard much about the insurance industry and changes to the cyber insurance application and approval process. It makes sense when you think about it. Insurance companies want to know that their clients are using good cyber security measures to protect themselves to reduce the number and severity of claims.
Just like when your kids turn 16. You sign them up for drivers-ed. Passing drivers-ed and good grades in school help to reassure the car insurance company that your darling angel is not as likely to have an accident as the neighbor’s hellion wild child.
Then you meet with the bank for a loan. Get ready for a surprise.
You assume you have good credit. You have always paid your bills on time, so getting approval for a loan shouldn’t be an issue. Then you find out that credit bureaus are adding new criteria to creditworthiness. Cyber Security!
Why would they do that? Your credit rating is an assessment of risk. That is, what is the danger in loaning you money? Clearly, your history of paying bills is taken into account when assessing the probability that you will repay a loan. But how is cyber security a factor?
If you borrow money from a bank to start a business, open a second location, expand your product line, etc., your company must be profitable in order to pay your bills. However, if you are hit with a cyber or ransomware attack, your finances will take a major hit. The costs to pay the ransom, recover your operations, pay fines, do clean up, add security features (which you should have done before), etc. Or worse, your organization may go out of business. But you still have that loan to pay. The bank won’t get the full amount back if you file for bankruptcy. So now you understand why they would be interested in cyber security as part of your credit rating.
So how do you show a credit bureau you are serious about cyber security? Actually, by doing the same things that are required to get cyber insurance.
- Have a plan which includes cyber security technology
- Train your employees and enforce policies (e.g., turn off access when employees leave, limit the number of people with admin access, etc.)
- Have an incident response plan
- Use multi-factor authentication
- Have a Chief Information Security Officer (CISO or virtual CISO)
Cyber security isn’t just good sense. It’s good financial sense.