Cybersecurity continues to be a frequently discussed topic as criminals find success utilizing more sophisticated social engineering and penetration techniques. Unfortunately, the current threat landscape means most organizations are likely to eventually have some sort of cyber incident. The more relevant question now is what level of cyber protection an organization should opt for with their insurance policy.
Almost every business and organization has exposure and should evaluate cyber insurance options. Neither size, industry nor technical savviness decrease risk. Although degrees of exposure vary (for instance, organizations entrusted with highly sensitive HIPAA or personal financial data have considerable risk), any business that has employees (and thus has PII data) or accepts credit cards has liability with respect to the data the employment and customer data that they are expected to safeguard. Breaches can be costly in lost productivity and costs associated with compromised personal employment or customer data.
Cyber insurance applications should be carefully reviewed and completed accurately. One of the most challenging aspects of getting a cyber insurance quote can be the application process. Each application is likely to ask different questions, may include confusing wording or seem to ask questions not appropriate to your type of business or information technology environment.
An insurance company’s responsibility is to assess risk and then price their policies accordingly. As the risk landscape evolves, insurance companies have adapted their applications to better evaluate factors that create exposure.
What does this mean when completing an application? First, the applications themselves can be a useful tool to evaluate your environment and decrease your own risk to the extent you can apply the controls being asked in the application. Second, and perhaps more important, take the time to answer questions accurately. Likely you will need to include your IT support provider in the process.
Resist the temptation to provide the “right” answer. Merely working to implement a control should not merit a “yes” response. If a question asks about multi-factor authentication and not all employees or applications have it enabled, that is how the question should be answered. Consider attaching information to clarify answers that cannot be answered with a simple yes or no.
Should a breach occur, and the insurance company determines your application was not accurate, your claim may be denied.
Insurance policies and coverage can be vastly different. Another significant challenge of evaluating a cyber insurance quote is understanding what sort of coverage it provides. This evolving market currently has no standards, so policies from competing carriers are likely to offer different coverages.
You’ll want to work with an insurance agent to better understand what is and is not covered by the policy and its limitations. Some questions to ask include:
Is ransomware coverage included? (Surprisingly, not all policies include this.)
Is breach remediation covered?
Social engineering coverage for fraudulently transferred funds?
What about liability expenses such as reporting and providing identity monitoring services to compromised clients?
Obtaining the appropriate policy should be a collaborative process between your business, insurance agent and IT provider to ensure that the highest risk areas are adequately covered.
In the event of a breach, a reputable carrier will be your ally. A cyber incident can be stressful and chaotic. A seasoned carrier will have an incident response team ready to help guide your organization through the steps needed to address the situation.
Often additional third-party experts, such as attorneys, will be consulted to determine the extent of risk and appropriate response. The insurance carrier is likely to have additional resources, however, it is likely they will also expect you to work with a local IT expert to obtain forensic evidence, recover data and remediate your network, PCs and servers.
Having a reputable insurance company on call can be a huge relief as you work to get your organization operational and deal with resulting liabilities.
If your organization hasn’t recently reviewed your cyber security insurance, now is a good time to have a conversation with both your insurance agent and IT provider to ensure that you understand the risks and protections provided by your policy.
Martin Straub has more than 20 years of experience developing, building and maintaining frustration-free technology solutions. He founded SimplePowerIT to focus exclusively on delivering frustration-free technology solutions to NCW businesses and nonprofits. He can be reached at (509) 433-7606 or simplepowerit.com.
Discuss the news on NABUR, a place to have local conversations The Neighborhood Alliance for Better Understanding and Respect ✔ A site just for our local community ✔ Focused on facts, not misinformation ✔ Free for everyone
