Having a grasp on your insurance policy involves going beyond your internal processes and needs. Make sure to manage third-party risk for your business-critical processes by understanding your vendors’ security program and confirming that it aligns with your requirements.
Ask if your suppliers and partners have cybersecurity insurance, and if yes, know what’s covered in their policy. To maintain visibility into their policy, we recommend including cybersecurity insurance reviews during third-party onboarding and periodically (at least annually) thereafter. Review the audit reports (e.g., SOC2, ISO, etc.) of your key suppliers and partners to make sure they’re doing their due diligence.
You’ll also want to understand what’s included in the SLAs of your key suppliers and partners. So, if a cyber incident occurs, know if their SLA changes and what their processes and timelines are for agreeing to come back online. This timeline will enable you to understand how your business will be impacted and how you should plan in advance for this type of incident. In doing so, it helps you manage your organization’s risk posture and is imperative for your organization’s critical/high risk vendors.
If you’re looking for an easier way to keep track of your vendors’ and partners’ risk profiles and cyber insurance policies, Onspring’s Third-Party/Vendor Risk Management is a great place to start. Through the use of this product, users can easily integrate with SecurityScorecard, which helps customers access more cyber risk data, mitigate, and optimize what’s going on inside their organization to improve their risk posture.