Cybersecurity continues to be a frequently discussed topic as criminals continue to find success utilizing more sophisticated social engineering and penetration techniques. Unfortunately, the current threat landscape is such that most organizations are likely to eventually have some sort of cyber incident. The more relevant question nowadays is what level of cyber protection an organization should opt for with their insurance policy.

Almost every business and organization has exposure and should evaluate cyber insurance options.  Neither size, industry, nor technical savviness decrease risk.  Although there are different degrees of exposure (for instance, organizations entrusted with highly sensitive HIPAA or personal financial data have considerable risk), any business that has employees (and thus has PII data) or accepts credit cards has liability with respect to the data the employment and customer data that they are expected to safeguard.  Breaches can be very costly, not only in terms of lost productivity, but also costs associated with compromised personal employment or customer data.

Cyber insurance applications should be carefully reviewed and completed accurately.  One of the most challenging aspects of getting a cyber insurance quote can be the application process.  Each application is likely to ask different questions, may include confusing wording, or seem to ask questions not appropriate to your type of business or information technology environment.  Remember, an insurance company’s responsibility is to assess risk and then price their policies accordingly.  As the risk landscape   evolves, insurance companies have become more adept and have adapted their applications to better evaluate factors that create exposure.  What does this mean when completing an application?  First off, the applications themselves can be a very useful tool to evaluate your environment and decrease your own risk, to the extent you can apply the controls being asked in the application.  Second, and perhaps even more important, you must take the time to answer questions accurately.  This is not a process to be rushed through at the application deadline.  Likely you will need to include your IT support provider in the process.  Resist the temptation to provide the “right” answer. Merely working to implement a control should not merit a “yes” response.  For instance, if a question asks about multi-factor authentication and not all employees or applications have it enabled, that is how the question should be answered.  Consider attaching additional explanatory information to clarify any answers that cannot be answered with a simple yes or no.  Should a breach occur, and the insurance company is able to determine that your application was not accurate, your claim may be denied.

Insurance policies and coverage can be vastly different. Another significant challenge of evaluating a cyber insurance quote is understanding what sort of coverage it provides.  There are currently no standards in this evolving market, so policies from competing carriers are likely to offer very different coverages.  You’ll want to work with an insurance agent to better understand what is and is not covered by the policy and its limitations.  Some questions to ask include: is ransomware coverage included? (Surprisingly, not all policies include this.)  Is breach remediation covered?  Social engineering coverage for fraudulently transferred funds?  What about liability expenses such as reporting and providing identity monitoring services to compromised clients?  Obtaining the appropriate policy should be a collaborative process between your business, insurance agent, and IT provider to ensure that the highest risk areas are adequately covered.

In the event of a breach, a reputable carrier will be your ally.  A cyber incident can be extremely stressful and chaotic.  A seasoned carrier will have an incident response team at the ready to help guide your organization through the many steps needed to address the situation.  Often additional third-party experts, such as attorneys will be consulted to determine the extent of risk and appropriate response.  The insurance carrier is likely to have additional resources, however, it is likely they will also expect you to work with a local IT expert to obtain forensic evidence, recover data, and remediate your network, PCs, and servers.  Hopefully you never need them but having a reputable insurance company on call can be a huge relief as you work to get your organization operational and deal with resulting liabilities.

If your organization hasn’t recently reviewed your cyber security insurance, now is a good time to have a conversation with both your insurance agent and IT provider to ensure that you understand your risks and protections provided by your policy.

About the author:

Martin Straub has more than 20 years of experience developing, building, and maintaining frustration-free technology solutions. He founded SimplePowerIT to focus exclusively on delivering frustration-free technology solutions to NCW businesses and nonprofits.

Categories: Technology

Leave a Reply

Your email address will not be published.

Contact Helpdesk