Assessment & Advisory Archive - SITS

ISO 27001 is a standard of the International Organization for Standardization (ISO). It was published in the revised version ISO/IEC 27001:2022 in October 2022. For companies and public authorities, compliance is not only a measure to prevent legal sanctions, but also to avoid IT risks on their own initiative and to take the protection of sensitive information seriously. In this context, ISO 27001 certification has proven to be an important cornerstone of ISMS risk management.

In addition to the IT infrastructure and IT systems, the standard also covers the staff and processes involved in data processing. This includes the financial sector, healthcare, technology and e-commerce companies, even government institutions: ISO 27001 is now essential for almost all organizations and institutions that process, store or transmit sensitive information. This is because the standard, which evolved from the British Standard 7799, has long since become more than just ensuring business continuity. It also serves as a structured framework for compliance requirements and helps to ensure customers, investors and business partners that data processing complies with the relevant regulations.

Testing and Certification on the basis of ISO 27001

However, the path to ISO 27001 certification is often a challenging task: In order to certify the ISO 27001 conformity of an ISMS, existing information security controls must first be identified, assessed and necessary improvements recognized. In this context, the gap analysis has emerged as a common approach. In this preliminary audit, an external auditor assesses the current and target status of the ISMS. The gap analysis can be used to detect vulnerabilities and identify appropriate response measures that need to be taken to close any gaps. Roles and responsibilities are also included in this preliminary audit.

Finally, the subsequent implementation phase includes the first steps towards implementation. This includes:

  • Risk assessment in which threats to the company’s information are identified and evaluated. It includes the recording and classification of tangible and intangible assets, the identification of threats and vulnerabilities, the assessment of the potential impact of a cyber attack and the evaluation and prioritization of risks.
  • Risk management plan based on the risk assessment. This plan determines which risks should be accepted, avoided or reduced by implementing appropriate controls. It also includes a risk calculation of the potential impact of threats and risks.
  • Implementation of new processes, adaptation of existing processes and staff training based on the risk management plan.
  • Preparation of documentation for the ISMS, including security guidelines, risk assessment and treatment procedures. In addition, statements of applicability (SoA) and records to verify ISMS effectiveness.

ISO 27001 Certification Audit

After implementation of the ISO 27001 requirements, the certification audit follows. It consists of a Stage 1 and Stage 2 audit, in which auditors review the documentation of the ISMS and put its practical effectiveness through its paces. If the audits are completed successfully, the organization receives the ISO 27001 certificate.

ISO 27001 framework as a pacemaker

The use of a framework has proven to be a good guideline for the implementation of ISO 27001. It contains tools, methods, best practices and resources for implementation and subsequent certification. The aim of the framework is to ensure the three essential aspects – confidentiality, integrity and availability of information – through continuous security controls.

At the heart of the framework is a process-based approach that follows a so-called Plan-Do-Check-Act (PDCA) cycle. PDCA ensures that the constantly changing security requirements are mapped in the ISMS and that new threats are included in the risk assessment.

ISMS according to ISO 27001 and CISIS12®

SITS is specialized in supporting companies with the implementation and certification according to ISO 27001. This includes customized consulting services. They ensure that the ISMS of companies and authorities meets the requirements of the standard and reflects individual business needs and objectives. To this end, SITS’ experienced consultants work closely with companies to develop a flexible and adaptable ISMS that optimizes information security processes while meeting global standards. In addition, SITS offers consulting services for companies wishing to use the CISIS12 standard. CISIS12 (Critical Information Infrastructure Security) was developed as a framework by the German Federal Office for Information Security (BSI) and is specifically tailored to the needs of small and medium-sized enterprises (SMEs).

Re-audit every three years

Regardless of whether ISO 27001 is in the specifications for large corporations or medium-sized companies, the following applies: certification alone is not enough. Rather, ISO 27001 certification should be seen as an investment in the long-term IT security of the company and should also be treated as such in day-to-day business. Continuous improvement of security-relevant factors and regular optimization of risk management are essential to turn compliance into an continuous process. In addition, in order to maintain ISO 27001 certification, organizations must carry out so-called re-audits every three years. These ensure the ongoing conformity and effectiveness of the ISMS. Annual surveillance audits, adjustments to the ISMS and regular employee training ensure that there are no unpleasant surprises.

ISO-27001: Driver for Digitization

Due to its high relevance, ISO 27001 certification plays a decisive role on the path to digital transformation with cloud and remote working as well as 24/7 online services. Data is the core of a company and securing it has become business-critical. ISO 27001 certification provides a standardized framework for effective information security management that enables companies to protect their digital assets from threats.

The spectre of a shortage of skilled workers is looming. The baby boomer generation, which makes up the majority of today’s workforce, will soon reach their retirement age. In addition, there are a number of challenges arising with hybrid work, AI, cloud migrations, half a dozen new compliance guidelines and new threats that are causing companies in a wide range of industries to run out of skilled workers. According to the industry association Bitkom, there are currently around 149,000 vacancies for IT experts just in Germany. “Too few skilled workers and too much regulation are slowing down digital Germany,” warns Bitkom President Dr. Ralf Wintergerst in this context. Companies that are short of employees must therefore take urgent action. Managed services are one option to compensate for the lack of knowledge and manpower in their own ranks.

From MSPs and outsourced processes: what managed services offer

But what exactly are managed services? Managed services is the outsourcing of defined IT functions, recurring IT services and processes to an external body. This is called a Managed Services Provider, or MSP for short. Such services are usually provided and managed remotely, allowing companies to hand over responsibility for certain aspects of their IT operations to external experts. However, there is also the option of providing in-house premises.

Managed services can cover a wide range of IT functions. Examples include infrastructure management, network monitoring, security measures, data backup and recovery, application hosting and technical support. In this process, companies make cost-effective and efficient use of external expertise, improve their own IT capabilities and optimize their performance. But that’s not all, as managed services also help to reduce the time and effort involved in managing complex IT environments in-house.

Managed Services advantages and opportunities at a glance:

  • Predictable spending: Managed services are usually offered as a subscription, allowing companies to better predict and budget IT expenditure. Instead of high upfront costs for IT and staff, they pay a recurring fee – and only pay for the services that are actually needed.
  • Improved security and compliance: MSPs are inherently designed for compliance and protect sensitive data and systems from cyber threats and compliance breaches.
  • Focus on core business: By outsourcing routine IT tasks and responsibilities to an MSP, companies can simply let their IT teams catch a breath and focus on their core business, tackle innovation and simply be more productive.
  • Proactive monitoring and maintenance: MSPs continuously monitor the performance and condition of IT systems and infrastructures – either at specific times (9 to 5) or 24/7, depending on the model. They proactively detect vulnerabilities and minimize operational downtime.
  • Expert know-how: MSPs operate teams of qualified experts who have specialist knowledge in various IT areas, including networks, cyber security, cloud computing and application development – knowledge that can only be purchased internally at great expense through training and recruiting experts.
  • Flexibility: Managed services are designed to scale easily with operations. Regardless of whether operations are expanded, new users are added or new technologies are introduced: Companies can easily expand their Managed Services at any time.

Managed Services versus Outsourcing

Outsourcing IT tasks is popular: turnover in the IT outsourcing market is expected to be around 147.6 billion euros in 2024. But how do managed services differ from traditional outsourcing? First of all, managed services are also outsourced – so there is a conceptual overlap here: With managed services, the service provider assumes responsibility for certain tasks and services, often with a higher degree of autonomy. The customer concentrates on its core business activities, while the service provider takes over the administration and maintenance of the services.

In classic outsourcing, on the other hand, certain business processes or functions are outsourced to an external service provider. The service provider carries out these tasks on behalf of the customer, but the customer usually retains a certain amount of control and responsibility. As only certain sub-departments and IT services go to the service provider, the IT remains in the customer’s company. The customer therefore continues to have the final control over its infrastructure, IT structure and processes. The IT services to be provided are precisely defined in advance and must be provided regularly on the basis of service level agreements (SLAs).

  • Managed services can be very specifically tailored to individual needs, as they are often smaller in scale.
  • Managed services can be more cost-effective as only what is needed is purchased.

Managed Services Provider vs. traditional IT service Provider: Here's what matters

The main difference between a managed service provider and a traditional IT service provider is their service model, the responsibilities and scope of the services provided and the nature of the relationship with the customer.

Managed Service Provider   Traditional IT Service Provider
 

Services based on a subscription-based model:

customers usually pay a regular fee for the services provided, which are based on a service level agreement (SLA). MSPs assume responsibility for the management and maintenance of certain IT functions and systems for their customers.

   

Services on request:

invoicing usually on an hourly basis or project-oriented. Customers commission the service provider for specific projects, problem solutions or consulting services, and billing is based on the service provided.

 

Long-term partnership:

MSP offers continuous support and consulting over a longer period of time. The service provider also works closely with its customers to continuously improve IT infrastructure and services.

   

Engage in specific projects or tasks:

Services may be limited in time. Once the project is completed, the collaboration usually ends unless there are further requirements or projects.

 

Management and operation of specific IT services:

Examples include network monitoring, security management, data backup, cloud hosting etc.. The MSP acts as an extension of the company and takes over the day-to-day operational tasks.

   

Comprehensive services:

Solutions for specific technical problems or projects. This can include the development of a customized software application, the provision of hardware and software or the performance of an IT infrastructure review.

The question is: What is suitable for which company or which requirement? Is it better to choose an MSP or a traditional IT service provider? The definition and requirements are decisive here. In general, the following applies: if there are very specific requirements, for example for products or tasks, the managed service is the appropriate choice. If full support is required or if it concerns content that is mapped by entire departments, classic outsourcing via an IT service provider is the preferred option.

How can Managed Services help to counter the shortage of manpower?

Managed services therefore offer many advantages and, due to their flexibility, are a good way to combat the shortage of skilled workers. One reason for this is that outsourcing IT tasks can help to better utilize existing talent, as not everyone needs to have all their specialists in-house.

Managed services also allow:

  • tackle time-critical issues more quickly
  • outsource time-consuming tasks, such as log analysis or documentation, in order to relieve in-house staff
  • minimize dependency on specialist knowledge in the sense of “brain drain”, as specialist expertise is outsourced

Some companies struggle to ensure compliance with industry regulations and security standards due to limited resources and expertise. Managed services can provide valuable support when it comes to compliance – especially in times of increasing skills shortages. This can help avoid costly regulatory fines and penalties associated with non-compliance. In addition, managed security services often include advanced threat detection and response capabilities such as Security Information and Event Management (SIEM), Intrusion Detection and Prevention Systems (IDPS) and Threat Intelligence Analysis. With such technologies, emerging threats are detected and averted more effectively than with the sole use of internal resources. When there is a shortage of staff, the expertise and experience of MSPs is worth its weight in gold to improve security and overcome complex technical challenges.

By working with experienced MSPs and MSSPs, such as the experts at SITS, organizations strengthen their IT security, increase operational efficiency and reduce the risks associated with the ever-evolving threat landscape.

vCISO - External expertise for more IT Security

  • A virtual Chief Information Security Officer improves IT security, offers manpower flexibility and cost efficiency.
  • The vCISO’s responsibilities range from developing a customized security strategy to implementing an information security management system and monitoring day-to-day operations.
  • Good vCISOs are highly qualified, certified and are equipped with industry knowledge and communication skills.

Over 2,000 cyber attacks on companies are registered every day and, with increasing digitalization, the potential damage that a successful attack can cause to a company is increasing. At the same time, the range of security solutions, frameworks and methods for protecting against attacks is also growing, but regulation in the area of IT security is at the same time becoming increasingly complex. Many large companies therefore now employ a Chief Information Security Officer, or CISO for short. The CISO is responsible for ensuring that the company’s IT security strategy is cost-efficient, effective and legally compliant.

But what can medium-sized and small companies do if they cannot afford or do not want their own CISO? Then a virtual Chief Information Security Officer (vCISO) is a good alternative to gain access to highly qualified security management and avoid breaches in the IT security architecture.

Why is a CISO needed?

A CISO is responsible for the cyber security strategy, i.e. the reliability of the company’s IT, and at the same time ensures that all regulatory requirements for a company’s IT, software and data infrastructure are complied with.

The CISO usually reports to the Chief Information Officer or the Chief Technology Officer. Occasionally, they also report directly to the Chief Executive Officer.

The internet platform kununu states an average annual salary of around 95,000 euros for this position.

How does a vCISO work?

Virtual CISOs are experts who can be deployed by companies as required. This means that they are not a cost factor for the payroll budget, but are requested whenever projects are pending, urgent problem solutions are required or problems need to be avoided in advance.

  • The implementation process usually begins with a security audit. Here, the vCISO determines how the respective company is positioned in the areas of IT security and regulation. It examines the security architecture, identity and access management as well as compliance with the legal framework.
  • In the second step, the vCISO draws up a recommendation for the expansion or conversion of the existing security architecture. In addition to the efficiency of the systems, the focus is also on cost optimization, reliability and future-proofing.
  • The vCISO then supports the implementation of the revised security measures. An Information Security Management System (ISMS) or the connection to a Security Operations Center (SOC) often support the evaluated measures.
  • The quality of the system is then reassessed at regular intervals in order to keep the risk situation in the areas of operations, data protection, IT security and cyber resilience as low as possible.
  • And, of course, the vCISO is available at any time in the event of a problem, for example to close acute security gaps or prevent the loss of valuable company data.
``A CISO should be aware of current cyber security threats and common defense mechanisms. The CISO must be aware of legal and industry-specific requirements as well as common methods for meeting these requirements effectively and in a cost-efficient manner.``

Oliver Teich (Strategic Consultant)

Further tasks of a vCISO include:

  • Consulting on security strategy and on the choice of software, frameworks, etc.
  • Support and monitoring of Managed Service Providers (MSP)
  • Further development of the IT security strategy
  • Preparation of IT security reports
  • Consulting the management in the area of cyber security
  • Maintaining contact with supervisory authorities
  • Reviewing the IT security of partners and suppliers
  • Regular updating of security guidelines

In addition, a vCISO is a highly valuable sparring partner for all IT departments in the company. He brings an external perspective and market experience to projects as part of the planning process. This enables them to identify vulnerabilities in existing security architectures quickly and reliably.

Apart from this, a vCISO can of course also take on the tasks of a permanent CISO as an interim solution, e.g. to compensate for parental leave, illness, vacations or other absences or to provide support in the event of a temporarily high workload.

How to find a good vCISO?

As a virtual CISO communicates with the IT department as well as the management and sometimes the employees of a company, he or she must have good communicative skills in addition to professional qualifications. The candidate should be able to break down complex issues and explain them clearly. Negotiation skills, strategic thinking and experience in stakeholder management are also among the soft skills of a good vCISO.

The technical requirements for working as a vCISO include a degree in computer science (or comparable qualification) and relevant additional experience. Further qualifications such as an MBA with a focus on information security also show that a candidate is well prepared for the role of vCISO. In any case, the vCISO should be able to demonstrate good industry knowledge and several years of professional experience in the management of IT security programs and projects.

Important certificates that prove a comprehensive qualification when working as a vCISO:

  • CISSP (Certified Information Systems Security Professional): This internationally recognized certificate is regarded as the most important proof of expertise in the field of information security.
  • CISM (Certified Information Security Manager): Demonstrates that the candidate has mastered the management aspects of information security.
  • CEH (Certified Ethical Hacker): The CEH certificate demonstrates that the holder has extensive experience in ethical hacking and penetration testing.
  • ISO 27001 Lead Implementer: Certifies the ability to set up an information security management system in accordance with ISO 27001.
  • ISO 22301 Business Continuity Management System: Ensures the continuity of the operations of the company even in the event of major incidents and in crisis and emergency situations.

By the way: Opting for a virtual CISO offers the opportunity to choose a partner that perfectly matches the current requirements of your own business sector – and to be able to replace them easily and flexibly if these requirements change in the future.

In addition to all these considerations, the availability of a vCISO in an emergency should also be clarified when deciding on a vCISO.

``A vCISO must also be available in critical situations. In an emergency, it must be ensured that a representative or an emergency team can step in if necessary.``

Oliver Teich (Strategic Consultant)

Are vCISOs the right choice for you?

For small and medium-sized companies in particular, the decision to appoint a virtual Chief Information Security Manager is an opportunity to raise the quality of their own IT security to a higher level. The external consultant takes on tasks for which the CTO or CIO usually lacks the time and for which other IT employees are often not sufficiently qualified. Some guidelines also require the separation of CTO and CISO personnel.

In this way, a vCISO brings external expertise and competence to the company’s security management and at the same time offers personal flexibility and full cost control.

It has been 30 years since the financial services giant Citigroup (formerly Citicorp) set up a special office for cyber security following a series of cyber attacks by Russian hackers. 1994 is therefore considered the year of birth of the profession of Chief Information Security Officer. Today, three decades after the emergence of the first CISO, almost every major company has a cybersecurity specialist. Cybersecurity Ventures explains that there are currently around 32,000 CISOs worldwide. However, with an estimated 334 million companies, it quickly becomes obvious: Many other companies and organisations are yet to staff such a position – no matter how important it may be. This may be due to size, lack of expertise or budget constraints, or because CISO support is needed immediately: A full-time CISO is desirable for many companies, but not always realisable or affordable. Sometimes CISO tasks are also distributed among several IT employees, which harbours risks if there is insufficient knowledge. In such cases, a virtual CISO or an outsourced CISO (CISO-as-a-Service) is a good alternative.

What is the role of a CISO?

A Chief Information Security Officer plays a central role in ensuring the security and integrity of an organisation’s information assets, of course. Nevertheless, due to the large number of tasks, it is worth listing the main areas of responsibility.

CISOs are:

  • Experts in risk management: This includes the identification, assessment and prioritisation of cyber security risks and vulnerabilities. It also involves developing risk mitigation strategies and recommending appropriate security controls and countermeasures.
  • Guardian of information security policies and procedures: This involves developing, implementing and enforcing information security policies, standards and procedures throughout the corporate structure. After all, all major laws, regulations and industry standards must be adhered to.
  • Incident response chiefs: CISOs develop and maintain plans on how to respond to data breaches in order to contain and mitigate security breaches. They also lead incident response teams in investigating security breaches, determining root causes and implementing defences.
  • Security architects: The design, implementation and maintenance of a robust security architecture and infrastructure to protect the systems, networks and data within a company are also part of the CISO’s catalogue of tasks. He or she evaluates security technologies and selects tools to support the security objectives. In some cases, it is advisable to set up an Information Security Management System ((link to ISMS)) in accordance with ISO standard 27001.
  • Security trainers: CISOs promote security awareness and best practices within the workforce, contractors and other stakeholders. This includes the development of cyber security training to raise awareness of security risks.
  • Compliance controllers: They develop security management frameworks and mechanisms to ensure effective monitoring. They conduct regular security assessments, audits and reviews to verify compliance with internal policies and external regulations.
  • Third-Party Risk Managers: CISOs assess the security posture of vendors, suppliers and third-party service providers to ensure they meet the organisation’s security standards and requirements. They establish contractual agreements and monitoring mechanisms to effectively manage third-party security risks.
  • Communication specialists: Timely and transparent communication of security incidents, threats and vulnerabilities to senior management, management and stakeholders is also important, as are regular reports on the security situation within the organisation.
  • Trend checker and trailblazer: CISOs must always be aware of new threats, trends and technologies in the field of cyber security in order to adapt and improve security measures. They should also drive innovative projects to take the fear out of future security challenges.

 

It is obvious that every company would like to have such a security all-rounder in its ranks. However, as this is often not possible for the reasons mentioned, it is worth requesting external support: CISO-as-a-Service.

Six reasons for CISO-as-a-Service

The advantages of external CISO support over a permanent Chief Information Security Officer are summarised in the following “CISO-as-a-Service Top Six”.

CISO-as-a-Service scores with:

  • Flexibility: External CISO services are more flexible in terms of the scope and duration of services. CISO support can be scaled as required and additional resources can be added or reduced. This is particularly practical in times of increased security requirements or when implementing specific projects.
  • Expertise: External CISO services offer access to a pool of experienced experts. Companies can benefit from in-depth experience and have access to specialised skills that an internal CISO does not have.
  • Continuity: External CISOs keep up to date with current threats, trends and best practices. They can ensure that security policies and practices are continuously improved and adapted to the changing threat landscape without the need to divert internal resources.
  • Objectivity: External staff ideally provide an objective and independent view of an organisation’s security practices. They are not involved in internal political dynamics and can therefore make decisions based on best practices and objective analyses.
  • Cost efficiency: External CISO services can be more cost efficient as organisations only pay for the services actually provided. Permanent CISOs receive a fixed salary, benefits and possibly bonuses, regardless of whether their performance is fully utilised or not.
  • Resource optimisation: External CISO services allow companies to free up internal resources for other strategic tasks and business objectives.

Conclusion CISO-as-a-Service

External CISO services are a cost-efficient, flexible and effective option to fulfil growing information security requirements. This is especially important when there are no resources or experience available for a permanent CISO. They are suitable for acute needs – onboarding new employees takes longer than hiring an external service – and as an interim solution. Whether SMEs or start-ups, smaller companies and companies in the process of being established benefit from the expertise of experienced CISO providers – and protect their valuable data and systems reliably.

If you would like to find out what CISO-as-a-Service can look like in day-to-day business, read our Success Story “CISO-as-a-Service for Steeltec Group“. The Swiss steel manufacturer relies on CISO-as-a-Service from Swiss IT Security AG. This includes, for example, the creation of a security roadmap, the coordination of various departments and the design of a remote access solution for the devices in the plant.

A certain amount of risk-taking can drive innovation, but in a business environment, forward planning is required above all. Well-planned IT risk management enables companies to ensure they reach informed decisions about their security resources. In view of increasing threats and technical and regulatory developments, risk management is becoming more and more important. According to KPMG, around 72% of companies regularly measure their cyber security status on the basis of KPIs. However, only one in four companies uses Privileged Access Management (PAM) to protect digital identities, and only one in three companies uses SIEM (Security Incident and Event Management). A reorganization of the company’s IT risk management is therefore advisable.

Risk assessments as a basis for security

“The better sister of fear is caution, but the worse brother of courage is overconfidence.” This quote is attributed to the German entrepreneur Philip Rosenthal. And he should know what he was talking about, as Rosenthal spent his life dealing with fragile glass and porcelain. But Rosenthal’s insight should also serve as a guiding principle for other companies, authorities and organizations. After all, IT risks cannot be adequately assessed and prioritized without quantitative methods. Inefficient use of resources and inadequate protection are the result. Inadequate risk assessments can also lead to financial losses and reputational damage. Today, IT risk management is more than just a “nice to have” – in times of constantly new cyber threats, it is an absolute must for every company that wants to protect its data, systems, employees, partner companies and company assets against IT risks in the most effective way possible.

What is an IT risk?

Every year, the Allianz Risk Barometer lists the most serious corporate risks. Cyber incidents are currently in first place, followed by business interruptions. According to the survey, the cost of a data breach is around 4.35 million US dollars and rising. Effective IT risk management can prevent such incidents by identifying, assessing, prioritizing and mitigating potential threats.

The top 8 IT risks you should know:

  1. Security threats such as hacker attacks, malware, phishing attacks and unauthorized access to sensitive data can lead to data theft, business interruptions, financial losses, sanctions and reputational damage.
  2. Power outages, natural disasters, fires, floods or other hazards can damage the IT infrastructure and disrupt business processes.
  3. System or network breakdowns and infrastructure disruptions also cause unplanned downtime, affecting operations, productivity and customer satisfaction.
  4. Data loss or corruption can be caused by hardware failures, software errors, human error or malicious attacks. This can lead to the loss of important business and customer data or intellectual property.
  5. New technologies such as cloud computing, Internet of Things (IoT) or artificial intelligence may pose risks to data security and regulatory compliance.
  6. Non-compliance with regulations, data protection laws or contractual obligations may result in sanctions, financial penalties and legal proceedings. For example, NIS2, PCI DSS and HIPAA require regular vulnerability scans to protect sensitive data.
  7. Dependence on third-party vendors, suppliers or service providers poses risks such as service interruptions, data breaches or contract disputes.
  8. Insider threats, human error, inadequate training or negligent staff behavior can lead to data leaks, unauthorized access or mishandling of sensitive information.

What is risk assessment and risk management?

IT risks refer to the probability of unexpected, negative business results due to the exploitation of vulnerabilities in hardware and software. A wide range of IT risk management methods can be used to mitigate these IT threats. Risk management is not an isolated and stand-alone approach. Instead, it involves many different procedures, guidelines and tools for identifying and measuring potential threats and vulnerabilities in your IT infrastructure. These are interlinked and should be tailored to the requirements of your company. The first step is always the risk assessment, i.e. the quantitative and qualitative evaluation of risks, followed by specific countermeasures.

For a reliable evaluation of the IT risks in your company, you should consider these four cornerstones of the risk assessment:

  • Threats are all situations, actions or incidents that can compromise system security. This can be intentional or accidental, such as malware attacks, device outages, human error and natural disasters.
  • Vulnerabilities are weaknesses or gaps that criminals exploit to steal sensitive information. The identification of vulnerabilities in IT systems and attack methods targeting them determines how well IT risks can be minimized.
  • Assets is a broad term that encompasses both software and hardware, stored data, IT security guidelines, user data and even individual file folders containing sensitive data.
  • Costs are the total damage that a company can suffer as a result of a security incident – be it financial, reputational or, in the worst case, both.

Why is IT risk management so important?

In its 2023 risk management benchmark study, Deloitte discovered that less than a third of the companies surveyed currently meet the requirements of a holistic risk management system.  In this context, a recent Accenture study indicates that risk management is becoming increasingly important for a large number of companies, as complex and interconnected risks are occurring increasingly fast. This was stated by 83 percent of those surveyed. 77 percent also stated that it is becoming more difficult to identify and manage risks and 72 percent were concerned that their risk management expertise could not keep pace with the rapidly changing IT landscape.

IT risk management tailored to modern requirements is therefore absolutely essential:

  • Competition,
  • the protection of your assets,
  • secured business continuity,
  • regulatory alignment and compliance,
  • the protection of your corporate reputation,
  • the optimization of costs and resources and
  • to strengthen the trust of all stakeholders.

To protect your company information comprehensively and contain the increasing number of risks, there is no way around customized risk management.

The detection systems of the independent AV-TEST Institute detect and analyze 3.9 new malware samples each second. This means over 322,000 new malware variants per day. IT security incidents caused by malware attacks, data leaks and cyber attacks can affect the trust of customers, partners and the public. Proactive risk management helps to minimize the risk of such incidents and protect the company’s reputation. By identifying and prioritizing IT risks, you can also deploy resources more efficiently and make targeted investments in security mechanisms. This helps to minimize potential damage and costs associated with IT security incidents.

Threat Landscape of Cyber Attacks

Ransomware and other cyber attacks will continue to test the resilience of supply chains and business models in 2024. In any case, cyber incidents such as malware attacks, violations of data protection, and IT system failures are among the biggest fears for companies worldwide. The second concern is the associated risk of business interruption.

Cyber incidents (36 percent of all incidents) are thus the most feared risk globally for the third consecutive year, now with a significant lead (5 percent). Respondents to the Allianz Risk Barometer consider data breaches as the most worrisome cyber threat (59 percent), followed by attacks on critical infrastructure and physical assets (53 percent). The recent increase in ransomware attacks, with a concerning surge in 2023 and a more than 50 percent increase in insurance losses compared to 2022, ranks third (53 percent). In Germany, the concern about cyber incidents and business interruptions is also at the top of the survey. Not surprisingly, in 2022, almost three-quarters (72 percent) or 148 billion euros of the total damage to the German economy caused by data theft, sabotage, and economic espionage alone were attributable to cyber attacks. There are many examples of affected companies, including prominent names.

Why Cyber Insurance?

If a phishing email or a hacker attack paralyzes a company’s IT, it can quickly threaten its existence. Cyber insurance can help mitigate such damages. It is a contract that companies enter into to reduce financial risks associated with online business. For a fee, the insurance policy transfers part of the risks to the insurer. Cyber insurance is recommended for any company that operates with sensitive data and whose business operation depends on the availability of this data.

The first cyber insurance policies were introduced in the late 1990s in response to the increasing reliance on technology and the rise of cyber threats. Initially focusing on data breaches and cyber attacks, over time, providers expanded coverage to a broader spectrum of cybercrime, including ransomware attacks and other malware attacks, social engineering, system failures, and operational disruptions due to cyber security incidents.

What Services Do Cyber Insurance Policies Include?

Depending on the contract, a cyber insurance policy includes the following services:

  • Financial Protection: Cyber insurance provides financial protection against damages caused by cyber incidents (see below). This includes expenses for investigations, credit monitoring, potential legal obligations, and other costs related to data breaches. Additionally, it may cover business interruptions, loss of revenue, and the restoration of computer systems.
  • Prevention and Remediation: Cyber liability insurance protects companies against the risk of cyber events, including those with a terrorist background. It covers network security and assists in promptly addressing cyber attacks and similar incidents.
  • Legal Support: Legal assistance is often included in cyber insurance. This helps companies navigate the complex legal system related to cyber incidents, covering costs for legal representation, compliance, and potential lawsuits due to data breaches.

Other Typically Covered Costs:

  • Notification of customers after a security incident.
  • Hiring forensic experts to recover compromised data.
  • Restoring the identity of customers whose personal data has been compromised.
  • Recovering altered or stolen data.
  • Repair or replacement of damaged or compromised computer systems.

In addition, there are positive side effects: By obtaining cyber insurance, companies distinguish themselves from competitors by demonstrating their commitment to protecting customer data and actively preparing against cyber attacks. Furthermore, they demonstrate their dedication to high cyber security standards. This enhances reputation and trust among customers, stakeholders, and partners. Ultimately, cyber insurance provides companies with a sense of security by ensuring their financial stability during cyber crises. Companies can focus on their core business without constantly considering the potential financial and reputational consequences of a cyber attack.

What Cyber Risks Are Insured?

Regarding cyber attacks, cyber insurance provides protection against various risks arising from internet use. It’s important to note that the exact scope of insurance coverage varies depending on the provider and the policy. Here are some examples:

  • Cyber Fraud: Damages caused by fraudulent activities on the internet, such as phishing.
  • DoS and DDoS Attacks: Damages caused by attacks aiming to make a service or website inaccessible.
  • Infections by Malicious Software: Damages caused by ransomware, worms, trojans, and other malware.
  • Data Loss: Costs for the recovery or replacement of lost or stolen data.
  • Violation of Privacy and Confidentiality Obligations: Fines and other costs due to violations of data protection laws.
  • Cloud Outages: Damages caused by the failure of cloud services.

Are There Requirements for Obtaining Cyber Insurance?

Interest in cyber insurance is immense in the business world. However, not all companies meet the cybersecurity requirements that insurers now demand. While initially only basic protection was considered a criterion, companies seeking insurance must now demonstrate a high level of protection.

The basis for a required minimum level of IT security includes well-known measures such as regular data backups, individual access controls, protection against malware attacks, firewalls, and timely installation of security updates. However, it now extends beyond technical measures to address organizational and procedural measures. It involves including people, especially through employee awareness training on the topic, making policies (e.g., password policies) known and adhered to, and institutionalizing IT security processes. All this must be measurable and verifiable, with responsibility ranging from top management to each individual employee.

As with any insurance contract, the insurer asks about the risk. They may demand additional necessary security measures, which must be taken into account. Hence, the aforementioned traceability is crucial. All identified risks must be reduced or normalized. If this does not happen, the insurer may exclude certain damages in the contract.

A standardized system for managing identities and access rights for various on-premise and cloud applications is mandatory, for example. Like good fire protection, a well-implemented access rights system via IAM (Identity and Access Management) serves as a foundation for lower insurance premiums. Mechanisms such as escalation of violations in case of incompatible activities and other measures, like a need-to-know role model, protect compliance and assist in proving unauthorized access.

Furthermore, companies are obliged to adhere to applicable legal foundations. For example, the cyber insurance of a medical practice or a hospital is bound to compliance with industry-specific security standards (B3S), the Patient Data Protection Act, and other measures for critical infrastructures.

Certain certifications are not mandatory, though. While these give insurers indications of the quality of IT security, as requirements for certification imply certain security measures, certification does not necessarily ease the process of obtaining insurance.

What Factors Determine the Cost of Cyber Insurance?

The costs of cyber insurance are variable, and providing a blanket statement about the amount is challenging. Prices for cyber insurance typically depend on the annual turnover of the insured, the industry, the scope, and type of insurance coverage. In recent years, there has been a significant increase in cyber insurance premiums and payments, attributed to the growing attack surface and the evolution of attack techniques. To receive a specific quote, it is advisable to arrange a consultation with the respective insurance provider or request a quote.