by Brad Fraser

A cyber risk assessment using the Centre for Internet Security (CIS) framework can provide valuable insights for an insurance underwriter by helping them to better understand the risks associated with insuring a particular organisation against cyber- attacks.

The CIS framework provides a comprehensive set of guidelines and best practices for securing information systems and networks. By conducting a cyber risk assessment using this framework, an insurance underwriter can gain a better understanding of the security posture of the organisation they are considering insuring. This can include identifying vulnerabilities and potential weaknesses in their cyber defences, as well as evaluating their overall risk exposure to cyber threats.

Using the results of a CIS-based cyber risk assessment, an insurance underwriter can more accurately assess the potential costs and risks associated with insuring a particular organisation against cyber-attacks. This can help them to determine appropriate levels of coverage and pricing for cyber insurance policies, as well as to identify areas where additional risk mitigation measures may be needed.

Overall, a cyber risk assessment using the CIS framework can help insurance underwriters to make more informed decisions about which organisations to insure and how to structure their policies to effectively manage cyber risk.

A cyber risk assessment using the Centre for Internet Security (CIS) framework would be better than completing an insurance underwriter's questionnaire because:

• Comprehensive framework: The CIS framework is a widely recognized and comprehensive framework for identifying and mitigating cyber risks. It provides a structured and systematic approach to evaluating an organisation's cybersecurity posture across various domains, including access control, network security, and incident response.

• Standardized evaluation: The CIS framework provides a standardized set of criteria for evaluating an organisation's cybersecurity posture. This ensures that the evaluation is consistent and objective, and can be used to compare the cybersecurity posture of different organisations.

• Identify specific risks: The CIS framework helps identify specific risks that an organisation faces, enabling the organisation to prioritize its cybersecurity efforts and allocate resources effectively.

• Continuous improvement: The CIS framework emphasizes continuous improvement, allowing organisations to regularly assess and improve their cybersecurity posture over time.

On the other hand, completing an insurance underwriter's questionnaire may be less effective in identifying and mitigating cyber risks because:

• Limited scope: Insurance underwriters typically focus on the financial risks associated with a cybersecurity breach, rather than the technical risks. Their questionnaires may not cover all the technical aspects of cybersecurity, leaving important vulnerabilities undiscovered.

• Less standardized: The questionnaires used by different insurance underwriters may vary in terms of scope and depth, making it difficult to compare the cybersecurity posture of different organisations.

• Compliance-oriented: Insurance underwriters may be more focused on whether an organisation meets specific compliance requirements, rather than evaluating the actual cybersecurity posture of the organisation.

• Static evaluation: Completing an insurance underwriter's questionnaire is typically a one-time event, providing a snapshot of the organisation's cybersecurity posture at a specific point in time. This may not be sufficient to identify and mitigate evolving cyber risks over time.