Posted in Commentary with tags HITRUST on December 12, 2024 by itnerd
HITRUST, the leader in information security assurances for risk and compliance management, today unveiled an innovative cyber insurance consortium in collaboration with Lloyd’s of London and backed by a network of globally recognized AA-rated insurers. This first-of-its-kind shared risk facility revolutionizes the cyber insurance landscape, delivering exclusive, market-leading coverage and rates to HITRUST-certified organizations worldwide. By aligning relevant and reliable cybersecurity practices with tailored insurance solutions, the consortium sets a new standard for incentivizing and protecting trusted organizations.
As cyber threats continue to escalate, organizations face increasing pressure to effectively measure and mitigate information risk. HITRUST’s proven methodology, stands out as the industry-leading solution to manage information risk and to measure residual risk. By incorporating relevant risk management practices and security controls with a comprehensive and reliable assurance process, HITRUST-certified organizations achieve a significantly lower likelihood of breaches with the gold standard for resilience in an increasingly volatile threat landscape and endorsement by leading cyber insurers.
According to the recently published 2024 Trust Report, less than 1% of HITRUST-certifications experienced a breach over the past two years. This remarkable statistic underscores the effectiveness of the HITRUST assurance program in delivering measurable risk mitigation outcomes.
The newly formed consortium with Lloyd’s of London unites additional capital from a global network of Moody’s recognized AA-rated insurers to establish an innovative shared risk facility. This novel initiative leverages the proven link between HITRUST certification and superior and measurable risk management, enabling insurers to confidently deliver enhanced and more consistent insurance products. The facility is designed to scale as additional insurers join, ensuring greater capacity to meet the evolving demands of HITRUST-certified organizations across the globe.
Key benefits for HITRUST-certified organizations include:
Lower Insurance Costs: Exclusive, market-leading rates with more favorable terms and significant savings that reflect an organization’s commitment to strong cybersecurity practices, including a starting credit of 25% on premiums.
Simplified Insurance Process: Redundant questionnaires and lengthy application cycles are replaced with streamlined underwriting based on data from the HITRUST certification; some policies being underwritten in just one week.
Comprehensive Coverage: Policies are built on a single-page exclusion model, offering clarity and adaptability while supporting a wide range of organizational needs.
Scalable Protection: Access to increasing capacity as the consortium grows, ensuring coverage is adaptable to an organization’s needs as they change and grow over time.
Recognition for Security Investments: Demonstrate to partners, clients, and regulators that your organization meets the highest standards of cybersecurity, validated by the industry’s most trusted risk management framework.
To enable this consortium, HITRUST has developed a secure API that allows insurers to access detailed information about an organization’s HITRUST r2 certification through the company’s Results Distribution System (RDS). This technology ensures that insurers receive structured, consistent assessment data, facilitating a more accurate and efficient underwriting process.
Understanding the Shared Risk Facility
A shared risk facility is a collaborative arrangement where multiple insurers come together to share the underwriting risk associated with policies. For HITRUST-certified organizations, this means access to better insurance options, as the insurers collectively recognize the reduced risk these organizations present. This collaboration fosters a more stable and competitive insurance market.
Availability and Next Steps
The enhanced cyber insurance offerings are available to HITRUST-certified organizations effective immediately through their existing brokers. Currently available for HITRUST r2 certifications, plans are underway to extend this capability to include the i1 and e1 assurance programs in 2025. Additionally, there is potential to expand the scope to encompass HITRUST’s newly released AI Security Certification offering.
Organizations interested in benefiting from improved coverage and rates are encouraged to pursue HITRUST certification to take advantage of these new options.
The purple icon on the left indicate that my screen is being shared. Further confirmed by this:
But the thing is that I am not mirroring the screen. The Mac mini is only plugged into a TV via HDMI. There are no secondary monitors in play here as confirmed by this:
Pressing “Stop Extending” doesn’t do anything. I am not running any third party software to do anything with monitors. My only thought is that the Mac mini is seeing this display as a TV, which it is, and for reasons that I do not understand is offering to extend to this TV even though it is the only display connected.
Now I initially thought it was just me. But it turns out that there’s a Reddit post that has other people with the same issue. That implies a bug unless there is evidence that says otherwise. Thus I will continue to research this and post any new findings that I come across here in the form of updates. But I wanted to put this out there in case that you had the same issue. Also, if you know what this is and why it’s happening, along with any fixes if this is a bug, I’d love to hear from you as well.
I swear, macOS Sequoia is not a good release at all. Apple may have been better off letting it bake in the oven a bit longer before releasing it to the public.
Posted in Commentary with tags Zoho on December 12, 2024 by itnerd
Zoho today announced the addition of key capabilities in Zoho Books, Zoho Inventory, and Zoho Practice, helping Canadian businesses and accountants enhance operational efficiency, simplify routine financial tasks, and ensure regulatory compliance. These capabilities aim to support organizations in streamlining many of their internal processes by providing them with necessary tools that help them grow.
Many businesses rely on manual processes for performing critical financial tasks, resulting in delays, errors, and inefficiencies that drive up costs and hinder growth. Today’s updates to Zoho’s finance and operations platform aim to streamline these processes for greater efficiency for both businesses and accountants.
For businesses:
Zoho Books has introduced a suite of new features, including support for electronic filing of T4A and T5018 slips with Canada Revenue Agency. Businesses from Quebec can generate combined GST/HST-QST returns that include both federal and provincial returns that can be easily filed online with the Revenu Quebec. Progress-based invoicing allows businesses to invoice customers for the duration of a project incrementally, improving cash flow. With bill pay capabilities, businesses can autoscan, 3-way match for accuracy, and pay multiple bills from different vendors, simplifying the entire accounts payable process. Advanced features like revenue recognition automatically recognize revenue based on contractual obligations or when the service is delivered, while the fixed asset management feature allows recording of asset details, automatic depreciation calculations, and generate forecast reports, simplifying the bookkeeping process.
In Zoho Inventory, advanced warehouse management capabilities—such as enhanced location tracking and labeling, stock counting, stock out alerts, and role-based access to the warehouse operations—offer better inventory control, ensure accurate stock levels, and provide faster order processing. The product’s mobile apps empower warehouse employees to perform their tasks more efficiently, improving productivity.
For accountants:
Zoho Practice has included new features to help accountants deliver client services efficiently. Workpapers simplifies audit and compliance workflows by automatically fetching client financial statements from Zoho Books, enabling easy comparison, adjustments, document management, and collaboration for seamless review and approval. The self-service portal enables accountants to collaborate with clients that use third-party services, facilitating document requests, digital signatures, and communication. Accountants can easily create and manage ledgers without a full accounting system, helping them maintain a single source truth. Advanced capabilities like workflow automation, custom functions, and scheduling options support a complete tailoring of their operational workflow.
Pricing and Availability
All the features announced today for Zoho Books, Zoho Inventory, and Zoho Practice are available for immediate use. For more details on pricing, please visit the following pages for each product: Zoho Books, Zoho Inventory, Zoho Practice.
Ottawa Community Housing (OCH) is excited to announce that a free community Wi-Fi pilot has officially launched at two of its buildings in Vanier. Known as CommuniFi, the project is managed by National Capital FreeNet (NCF) in partnership with OCH, Hiboo Networks and with funding and technical support from CIRA (Canadian Internet Registration Authority).
The CommuniFi project helps bridge the digital divide for tenants at 251 and 255 Donald Street by providing free Wi-Fi in the common areas of the buildings. For many low-income households, the high cost of home internet and cellphone data creates barriers to accessing essential resources like education, employment opportunities, health services and connection to friends and family. This initiative is designed to alleviate some of the financial pressures associated to network connection and empower tenants to better navigate the digital world.
The introduction of free Wi-Fi transforms the common areas of the buildings into a hub for learning, support and social engagement. It creates opportunities to host essential onsite support programs, social activities and community events. Community partners can also leverage the free Wi-Fi to deliver events, programs and workshops, providing tenants with access to a variety of resources and opportunities within their buildings.
Recognizing that digital access also requires digital skills, NCF’s award-winning HelpDesk will host tailored workshops and information sessions to assist tenants in using the free Wi-Fi network. The workshops aim to equip tenants with the knowledge to fully benefit from the opportunities that the connectivity provides.
OCH is proud to play a key role in expanding digital access beyond these buildings. By hosting the necessary infrastructure, OCH is enabling NCF to extend the pilot project to at least 10 other community organizations in the coming year, strengthening digital inclusion and building more connected communities.
Bell Canada, Canada’s largest communications company, and Palo Alto Networks, the global cybersecurity leader, announced today a strategic partnership that brings together Bell’s expertise in Managed and Professional services with Palo Alto Networks industry-leading, AI-powered cybersecurity platforms. Building upon customer success and service development initiatives launched in 2023, Bell will now offer a full suite of services across Palo Alto Networks three platforms, delivering comprehensive protection against evolving cyber threats for customers in Canada.
Palo Alto Networks platformization approach unifies diverse security solutions into scalable platforms across network, cloud, and security operations. These platforms leverage automation and AI to deliver robust protection against cyber threats. Bell’s deep bench of Managed and Professional Services experts, combined with Palo Alto Networks platforms enables 24/7 protection and secure connectivity through dedicated threat alerts and mitigation to stop and prevent malicious attacks. Businesses are empowered to achieve a unified security posture, enhance threat prevention, optimize operational efficiency, and accelerate digital transformation initiatives.
Bell’s Managed Services team will support the following Palo Alto Networks solutions:
Prisma Access– The industry’s only security services edge (SSE) solution offering the most cutting-edge Zero Trust Network Access, (ZTNA 2.0), to protect the future of work with an easy-to-use, unified security product. Prisma Access delivers industry-leading security to dramatically reduce the risk of a data breach while offering an exceptional user experience.
Palo Alto Networks NGFW– The first Next-Generation Firewalls with real-time inline security that help stop the most complex threats with AI-powered, cloud-based network security.
Prisma Cloud(CNAPP)– The Code to Cloud platform powered by Precision AI secures cloud-native applications and infrastructure, accelerating cloud adoption and helping to ensure security policy compliance.
Cortex XSIAM – The leading AI-powered SOC platform that centralizes data and SOC capabilities — XDR, SOAR, ASM, SIEM to streamline security operations and accelerate and automate incident response and remediation.
The partnership underscores Bell’s objective to provide innovative and comprehensive security solutions to businesses across Canada. Earlier this year, Bell announced the acquisition of Stratejm, leading provider of Security-as-a-Service and enhanced Managed Detection and Response services. The expanded partnership with Palo Alto Networks further augments Bell’s cybersecurity capabilities and is another step toward becoming the largest and most trusted Managed Security Services Provider in Canada.
Posted in Commentary with tags Apple on December 12, 2024 by itnerd
A reader of this blog pointed me towards a Reddit thread and a MacRumors thread where people are complaining about this:
Given that Apple Intelligence and a better Siri experience are part and parcel of macOS Sequoia, and the Mac mini is Apple’s gateway into getting more Macs into the hands of more people, this is really bad.
Another data point. The same reader who tipped me off to this has confirmed that on his M4 Mac mini, when Apple Intelligence is on, he has to click on the Siri/Apple Intelligence button, then the mic icon, and then he can talk to Siri. If Apple Intelligence is off, he clicks Siri and he can talk right away. That implies bug to me.
What I am guessing is that Apple only likely tested this on the Studio Display and figured that it was job done at that point. I say that because some people with Mac mini’s and Studio Displays have confirmed that this is working as intended. Clearly Apple needs to do better QA before releasing stuff to their customers. The bottom line is that you can add this to the growing list of bugs with macOS Sequoia which includes Time Machine issues, and display issues which appear to be a design choice that Apple didn’t tell anyone about.
Apple really has lost the plot when it comes to software quality.
Posted in Products with tags Ford on December 12, 2024 by itnerd
I’ve written about Ford’s hands free driver assistance feature called BlueCruise before. But I was intrigued by it to such a degree that I approached Ford for the opportunity to try it out for myself. Ford not only said yes to that, but they gave me this to drive for a weekend:
This is the Ford Mustang Mach-E electric vehicle. I’m going to do a full review of it in the coming days. But for right now, I’m going to focus on BlueCruise.
What BlueCruise is designed to do is to allow the car to “sort of” drive itself in certain situations. Specifically, you have to be in what Ford calls a “Blue Zone” which is usually a divided highway that Ford has mapped out and is known to the car via having it downloaded to the car. More zones are being added all the time, so if your highway isn’t on the list, it likely will be soon. Another requirement is that the lanes on said highway need to be clearly be seen by the car’s cameras. Finally, the car via cameras inside the car need to be able to see your eyes so that it can confirm that you are paying attention to the road. That’s where the “sort of” part comes in because the car is basically driving under your supervision.
If you look above the pony on the steering wheel, but below the screen behind the steering wheel, you’ll see a rectangle. That’s where the cameras are located.
Here’s what you do to activate BlueCruise. Assuming the preconditions for BlueCruise to be available are there, and the screen turns blue and lets you know that you’re in a “Blue Zone”, hitting the cruise control button should activate it. And the first time that I tried it, it did. Then it started to complain that I wasn’t paying attention to the road that had a few beeps accompanying that message, and about a minute later the system shut off and the car beeped a lot. My wife was in the car with me at the time and it freaked her out. And this didn’t help her anxiety about being in a car that had this feature. I pulled into a parking lot and readjusted my seating position which was a tip that Ford had given me the day before via a briefing that covered BlueCruise and the Mach-E. I normally have a very upright seating position because I have a dodgy back. But I changed my setup so that I was lower than normal, and I was reclined slightly. After doing that, BlueCruise worked without an issue because it could now see my eyes.
Here’s a video that my wife took of me using BlueCruise for the first time and being completely hands free:
By the way, my wife wanted my hands on the steering wheel because she was super nervous about me driving hands free. Which I get. But we tested this out on a 218 KM drive where 85% of it was on highway 401 or highway 427 and it worked flawlessly. There were a couple of times where the system had me take control without all the beeping that I mentioned earlier. The first was on the eastbound 401 just after Milton where for reasons that I can’t discern, it had me take control just before going under an overpass. Then it re-enabled BlueCruise about 30 seconds later. The second was when a transport truck was beside me and a car was two or three car lengths in front of me. Again, the system had me take control, and then when the car in front of me exited the highway, it took over again. I am guessing that BlueCruise thought that this was a dicey situation and that it might have been better if a human took control of the car. That was interesting because when we got close to Toronto we encountered some traffic and BlueCruise was able to deal with the stop and go traffic that we had to deal with for about 10 minutes. Finally, I should mention that BlueCruise can make lane changes all by itself. Simply hit the signal and the car will do its version of a shoulder check and move left or right for you.
The one thing that I did appreciate is that when I was using BlueCruise, I was actually less stressed. I am pointing this out because going into this, I was assuming that because I had my hands off the wheel and I was using the system, I was going to be on alert the entire time. But the opposite happened the more I learned to trust the system and understand how it worked. On a long drive like a road trip, I can see how this could be be serious quality of life improvement. My wife became more comfortable with me using the system as well. Though she’s stated to me that if we owned this car, she’d never use it as she wants to be in complete control of the car at all times. Which is fair and not surprising to me as she’s never used the cruise control feature of our daily driver as she doesn’t trust that either. But I am thinking that if she had some seat time with BlueCruise in what she perceived as a “low risk” situation, she’d change her mind. Another thing that might help her to change her mind is the fact that Consumer Reports has had BlueCruise as the top-ranked active driving assistance system twice in a row out of 17 systems tested. So if it’s good enough for Consumers Reports, it’s likely good enough for you, and her.
My only gripe about BlueCruise is the fact that I had to alter my driving position to get it to work. While doable, my back wasn’t really a fan of that position by the end of the weekend. But I’m likely an edge case in that regard. Having said that, it would be nice if Ford made the eye tracking system a bit more flexible so that I didn’t have to change my position.
Ford has given you options in terms of how you can get BlueCruise:
Any new purchased or leased Ford vehicle will come with a 90 day trial of BlueCruise.
There is a one-year plan which will either be included standard or as an option based on the vehicle line and trim.
Starting on select 2025 model year vehicle lines, Ford customers can choose to upgrade to a one-time purchase at vehicle order and won’t need to activate BlueCruise again on their vehicle. And this activation will stay with the car, which adds value to the car.
You can activate BlueCruise on a month to month basis. For example, you could activate it for a road trip and then have it turned off when you get home.
And here’s a list of Ford vehicles that BlueCruise is currently available on:
Ford Explorer
Ford Expedition
Ford F-150
F-150 Lightning
Mustang Mach-E
My verdict is that if you’re looking at a Ford vehicle, you should try out BlueCruise. I think that once you try it and trust it, you’ll find it an indispensable aid when you’re in the car for long periods of time.
Posted in Commentary with tags HP on December 12, 2024 by itnerd
HP today released a new report highlighting the far-reaching cybersecurity implications of failing to secure devices at every stage of their lifecycle. The findings show that platform security – securing the hardware and firmware of PCs, laptops and printers – is often overlooked, weakening cybersecurity posture for years to come.
The report, based on a global study of 800+ IT and security decision-makers (ITSDMs) and 6000+ work-from-anywhere (WFA) employees, shows that platform security is a growing concern with 81% of ITSDMs agreeing that hardware and firmware security must become a priority to ensure attackers cannot exploit vulnerable devices. However, 68% report that investment in hardware and firmware security is often overlooked in the total cost of ownership (TCO) for devices. This is leading to costly security headaches, management overheads and inefficiencies further down the line.
Key findings from across the five stages of the device lifecycle include:
Supplier Selection – In addition, 34% say a PC, laptop or printer supplier has failed a cybersecurity audit in the last five years, with 18% saying the failure was so serious that they terminated their contract. 60% of ITSDMs say the lack of IT and security involvement in device procurement puts the organization at risk.
Onboarding and Configuration – More than half (53%) of ITSDMs say BIOS passwords are shared, used too broadly, or are not strong enough. Moreover, 53% admit they rarely change BIOS passwords over the lifetime of a device.
Ongoing Management – Over 60% of ITSDMs do not make firmware updates as soon as they’re available for laptops or printers. A further 57% of ITSDMs say they get FOMU (Fear Of Making Updates) in relation to firmware. Yet 80% believe the rise of AI means attackers will develop exploits faster, making it vital to update quickly.
Monitoring and Remediation – Every year, lost and stolen devices cost organizations an estimated $8.6bn. One in five WFA employees have lost a PC or had one stolen, taking an average 25 hours before notifying IT.
Second Life and Decommissioning – Nearly half (47%) of ITSDMs say data security concerns are a major obstacle when it comes to reusing, reselling, or recycling PCs or laptops, while 39% say it’s a major obstacle for printers.
From factory to fingertips – oversights in the supplier selection process, and onboarding and configuration limitations, impact device security across the lifecycle
The findings highlight the growing need for IT and security to be part of the procurement process for new devices, to set the requirements and verify vendor security claims:
52% of ITSDMs say procurement teams rarely collaborate with IT and security to verify suppliers’ hardware and firmware security claims.
45% of ITSDMs admit they have to trust suppliers are telling the truth as they don’t have the means to validate hardware and firmware security claims in RFPs.
48% of ITDMS even say that procurement teams are like “lambs to the slaughter” as they’ll believe anything vendors say.
IT professionals are also concerned about the limitations of their ability to onboard and configure devices down to the hardware and firmware level seamlessly.
78% of ITSDMs want zero-touch onboarding via the cloud to include hardware and firmware security configuration to improve security.
57% of ITSDMs feel frustrated at not being able to onboard and configure devices via the cloud.
Almost half (48%) of WFA workers who had a device delivered to their home complained that the onboarding and configuration process was disruptive.
Challenges and frustrations around the ongoing management, monitoring and remediation of devices
71% of ITSDMs say the rise in work-from-anywhere models has made managing platform security more difficult, impacting worker productivity and creating risky behaviors:
One in four employees would rather put up with a poor-performing laptop than ask IT to fix or replace it because they can’t afford the downtime.
49% of employees have sent their laptop to be repaired, and say this took over 2.5 days to fix or replace the device, forcing many to use their personal laptop for work, or to borrow one from family or friends – blurring the lines between personal and professional use.
12% had an unauthorized third-party provider repair a work device, potentially compromising platform security and clouding IT’s view of device integrity.
Monitoring and remediating hardware and firmware threats to prevent threat actors accessing sensitive data and critical systems is vital. However, 79% of ITSDMs say their understanding of hardware and firmware security lags behind their knowledge of software security. Moreover, they lack mature tools that would give them the visibility and control they would want to manage hardware and firmware security across their fleets:
63% of ITSDMs say they face multiple blind spots around device hardware and firmware vulnerabilities and misconfigurations.
57% cannot analyze the impact of past security events on hardware and firmware to assess devices at risk.
60% say that detection and mitigation of hardware or firmware attacks is impossible, viewing post-breach remediation as the only path.
Second life and decommissioning – how data security concerns are leading to an e-waste epidemic
Platform security concerns are also impeding organizations’ ability to reuse, recycle or resell end of life devices:
59% of ITSDMs say it’s too hard to give devices a second life and so they often destroy devices over data security concerns.
69% say they are sitting on a significant number of devices that could be repurposed or donated if they could sanitize them.
60% of ITSDMs admit their failure to recycle and reuse perfectly usable laptops is leading to an e-waste epidemic.
Complicating matters further, many employees sit on old work devices. This not only prevents devices from being repurposed, but it also creates data security risks around orphaned devices that still may carry corporate data.
70% of WFA employees have at least 1 old work PC/laptop at home or in their office workspace.
12% of WFA workers have left a job without returning their device right away – and almost half of these say they never did.
A new approach to the device lifecycle is needed to improve platform security
More than two thirds (69%) of organizations say their approach to managing device hardware and firmware security only addresses a small part of their lifecycle. This leaves devices exposed, and teams unable to monitor and control platform security from supplier selection to decommissioning.
To manage platform security across the entire lifecycle, HP Wolf Security’s recommendations include:
Supplier selection: Ensure IT, security and procurement teams work together to establish security and resilience requirements for new devices, validate vendor security claims and audit supplier manufacturing security governance.
Onboarding and configuration: Investigate solutions that enable secure zero-touch onboarding of devices and users, and secure management of firmware settings that don’t rely on weak authentication like BIOS passwords.
Ongoing management: Identify the tools that will help IT monitor and update device configuration remotely and deploy firmware updates quickly to reduce your fleet’s attack surface.
Monitoring and Remediation: Ensure IT and security teams can find, lock and erase data from devices remotely – even those that are powered down – to reduce the risk of lost and stolen devices. Improve resilience by monitoring device audit logs to identify platform security risks, such as detecting unauthorized hardware and firmware changes and signs of exploitation.
Second life and decommissioning: Prioritize devices that can securely erase sensitive hardware and firmware data to enable safe decommissioning. Before redeploying devices, seek to audit their lifetime service history to verify chain of custody, and hardware and firmware integrity.
For further insights and recommendations download the full report ‘Securing the Device Lifecycle: From Factory to Fingertips, and Future Redeployment’ here: [LINK]
About the data
WFA sample: A survey of 6,055 office workers that work hybrid, remotely or from anywhere in the US, Canada, UK, Japan, Germany and France. Fieldwork was undertaken from 22nd – 30th May 2024. The survey was carried out online by Censuswide.
ITSDM sample: A survey of 803 IT and security decision makers in the US, Canada, UK, Japan, Germany and France. Fieldwork was undertaken from 22nd February – 5th March 2024. The survey was carried out online by Censuswide.
Posted in Commentary with tags BforeAI on December 12, 2024 by itnerd
BforeAI has revealed that its researchers observed a recent surge in phishing attacks leveraging alleged communications from the Dubai Police, an integral part of the Dubai government and a frequent target of cybercriminals.
The campaign is primarily being relayed via SMS texts, and URLs redirect users to a malicious domain. BforeAI analyzed 268 domains based on keyword matches from September 17 through November 22 to uncover specific patterns and trends involving the mention of Dubai Police.
Most domains originated from servers based in Singapore and have a history of malicious activity, including spam, phishing, and botnets. Over two dozen of these domains have already expired, with some registered as recently as November, indicating short-lived campaigns.
Two of the registrants were found to be from India and Dubai itself, and their suspicious names suggested that they originated from a legitimate company. In other cases, the threat actors have managed to keep their identities anonymous.
Abnormal Security has revealed its latest research of real-world examples of threats Abnormal customers received in 2024 that demonstrates and predicts the anticipated evolution of the threat landscape we can expect to see in 2025. The blog also provides critical insights into the attack strategies organizations must be ready to detect and defend against these threats.
According to the company’s observations, the five advanced email attacks to watch for in 2025 are:
Cryptocurrency Fraud
File-Sharing Phishing
Multichannel Phishing
AI-Generated Business Email Compromise
Email Account Takeover
This blog emphasises the dire need for AI-native defenses that are able to identify anomalies and analyze context in real time. By understanding how attackers adopt solutions, organizations can protect the company and its employees from the increasing and evolving sophistication of email threats.
Lloyd’s of London Launches First-of-its-kind Consortium Built on HITRUST Certification to Shape the Future of Cyber Insurance
Posted in Commentary with tags HITRUST on December 12, 2024 by itnerdHITRUST, the leader in information security assurances for risk and compliance management, today unveiled an innovative cyber insurance consortium in collaboration with Lloyd’s of London and backed by a network of globally recognized AA-rated insurers. This first-of-its-kind shared risk facility revolutionizes the cyber insurance landscape, delivering exclusive, market-leading coverage and rates to HITRUST-certified organizations worldwide. By aligning relevant and reliable cybersecurity practices with tailored insurance solutions, the consortium sets a new standard for incentivizing and protecting trusted organizations.
As cyber threats continue to escalate, organizations face increasing pressure to effectively measure and mitigate information risk. HITRUST’s proven methodology, stands out as the industry-leading solution to manage information risk and to measure residual risk. By incorporating relevant risk management practices and security controls with a comprehensive and reliable assurance process, HITRUST-certified organizations achieve a significantly lower likelihood of breaches with the gold standard for resilience in an increasingly volatile threat landscape and endorsement by leading cyber insurers.
According to the recently published 2024 Trust Report, less than 1% of HITRUST-certifications experienced a breach over the past two years. This remarkable statistic underscores the effectiveness of the HITRUST assurance program in delivering measurable risk mitigation outcomes.
The newly formed consortium with Lloyd’s of London unites additional capital from a global network of Moody’s recognized AA-rated insurers to establish an innovative shared risk facility. This novel initiative leverages the proven link between HITRUST certification and superior and measurable risk management, enabling insurers to confidently deliver enhanced and more consistent insurance products. The facility is designed to scale as additional insurers join, ensuring greater capacity to meet the evolving demands of HITRUST-certified organizations across the globe.
Key benefits for HITRUST-certified organizations include:
To enable this consortium, HITRUST has developed a secure API that allows insurers to access detailed information about an organization’s HITRUST r2 certification through the company’s Results Distribution System (RDS). This technology ensures that insurers receive structured, consistent assessment data, facilitating a more accurate and efficient underwriting process.
Understanding the Shared Risk Facility
A shared risk facility is a collaborative arrangement where multiple insurers come together to share the underwriting risk associated with policies. For HITRUST-certified organizations, this means access to better insurance options, as the insurers collectively recognize the reduced risk these organizations present. This collaboration fosters a more stable and competitive insurance market.
Availability and Next Steps
The enhanced cyber insurance offerings are available to HITRUST-certified organizations effective immediately through their existing brokers. Currently available for HITRUST r2 certifications, plans are underway to extend this capability to include the i1 and e1 assurance programs in 2025. Additionally, there is potential to expand the scope to encompass HITRUST’s newly released AI Security Certification offering.
Organizations interested in benefiting from improved coverage and rates are encouraged to pursue HITRUST certification to take advantage of these new options.
For more information about how to get started with HITRUST certification, please visit hitrustalliance.net/cyber-insurance or contact them.
Leave a comment »