You could be the safest driver on the road and still not be able to guarantee that you would never, ever be involved in an accident. That’s why you have insurance. You hope you don’t need it. You’ll do everything you can to be safe, but if something does happen you’re glad it’s there. It’s the same with business cybersecurity insurance.
Cyber crime is increasing at an alarming rate, and more businesses are purchasing cyber insurance as part of their strategy to manage these increasing risks. Some executives are even finding that cyber insurance is becoming a requirement for doing business with customers and vendors.
If it’s not required, do you need it? And what’s behind the requirement anyway? Let’s go over the basics about cyber insurance to get to those answers.
Insurance Helps Manage Risks
Insurance is about managing risk. Having insurance transfers some of your financial risk to another party – the insurance company. This doesn’t mean that you have less responsibility for your (or your company’s) behavior. Just like having car insurance, doesn’t mean that you’re suddenly free to disregard traffic laws, having cyber insurance doesn’t give you permission to disregard secure behavior either.
In fact, the better your security, the more chance you have of getting a better price on your premiums. A high level of security is a sign that you’re taking your responsibility to manage cyber risks seriously. If you’ve ever filled out an application for cyber insurance, you already have an idea of what the insurance company thinks is good secure behavior.
The application for insurance will have a section that asks about cybersecurity controls that you’re currently using. As a business leader, you may not know what everything is on this list, but your IT team or Managed IT Services company should be able to help you. If there are some boxes that you can’t check off, then that’s a sign that you should ask some questions about why you aren’t using those tactics and what gaps you might have in security because of it.
Preventable Cyber Incidents May Be Excluded
Some cyber incidents are preventable, so you’re going to find some exclusions when it comes to what’s covered by cyber insurance. We can look at passwords and identity management as an example of this. If your employees are not using Multi-Factor Authentication (MFA) and a cyber criminal gets into their account and uses it to access the rest of your network – this would be considered preventable.
Keeping online accounts secure is such a simple thing, yet too many people view the extra step that they have to take with MFA to be an inconvenience. They don’t understand the risks. More accountability for identity management is being pushed down from insurance companies and some are not only requiring MFA, they’re making individuals verify their accountability with a signature on an attestation document.
It’s good to know what’s excluded, but you also need to know what is included in your cyber insurance plan. There are different types of coverage that reflect how a cyber attack would impact you and other people.
Cyber Coverage to Help You and the People Who Are Hurt by a Data Breach
These policies are concerned with damage that happens to 3rd parties. Let’s say that your employees' social security numbers were exposed as a result of a cyber attack. The damage and potential future damage that they are exposed to because of the breach would be covered in cyber liability insurance.
Incident response policies provide resources that you’ll need to respond to a cyber incident. This includes halting the activity, cleaning up, getting back up and running, and figuring out how the breach happened in the first place. Some policies also give you access to forensic and communications specialists.
Here’s an opportunity to make a connection between the use of security controls and pricing -- If you have Security Incident and Event Management (SIEM) software, then the job of forensics experts will be easier because they’ll have data to analyze. See how that can make your premium lower?
Business interruption policies for cyber insurance are similar to traditional business interruption coverage, providing reimbursement for the time that business operations are down. This can also include some of the costs to restore operations.
All cyber attack incidents can be considered crimes – because they’re against the law – but extortion and similar tactics are on the rise. This is important to note because the possibility of extortion means that you can’t plan to not pay a ransom if your data is kidnapped. This gets even messier when you consider that paying a ransom to a foreign entity violates US Department of Treasury regulations through the Office of Foreign Assets Control.
Loss of Reputation May Be Irrecoverable
One thing that you might never get back after you have a cyber attack is your reputation. The best damage control might not be enough to restore the trust that you’ve lost with customers, vendors, employees, and your community after you’ve had a data breach. That makes putting up a strong cyber defense even more important than ever.
Back to our original question, do you need cyber insurance for your business? A better question would be – How can I position my business to bounce back after a cyber attack? That should also answer any questions about why your vendors or customers are requiring cyber insurance.
Not Confident About Security?
XPERTECHS delivers cybersecurity services along with Managed IT Services to companies in the Baltimore and Washington DC corridor, as well as the Dallas and Houston metro areas in Texas. Contact us for a free security consultation.