Question HFIH-04

Do you carry cyber-risk insurance to protect against unforeseen service outages, data that is lost or stolen, and security incidents?

Standard Guidance

EDUCAUSE provides no guidance here

Answering "NO"

State plans to implement coverage in the future or how you can provide breach/liabilty coverage to the institution without it.

Answering "YES"

Describe the coverage in place for this product.

Reason for Question

The capacity for the vendor to respond effectively (and quickly) to a security incident is of the utmost importance. The size and talent of a vendor's incident response team will determine their capabilities during a security incident. Use the knowledge of this response when evaluating other vendor statements, particularly when discussing degraded operation states.

Follow-Up Inquiries

If the vendor does not have an incident response plan, point them to the NIST Computer Security Incident Handling Guide at https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final (opens in a new tab)

HECVAT Pro Advice

[Add expert insights and best practices]

Implementation Tips

[Add practical steps for SME SaaS vendors]

FAQ

[Add common questions related to this HECVAT item]

Resources

[Add links to relevant articles or tools]