We recently hosted a webinar for our clients to help them become better informed buyers of cyber insurance. The positive response that we received from clients confirmed for us that managing cyber risk is an increasing concern for business leaders. In fact, some of our clients opened up participation in the webinar to their management staff which was a signal that they understand that cybersecurity is everyone’s job.
In the webinar, Michael Mellott, President of XPERTECHS, and Ruth Sliviak, President of ICS Insurance, discussed why businesses need cyber insurance, and what insurance companies are looking for when it comes to determining rates, or even if you can get cyber insurance in the first place.
Here’s a sample of some of the questions and answers that came out of the webinar –
NOTE: In no way does this article provide advice for your particular cyber insurance or security needs. Contact your insurance agent and IT advisor to get guidance on how to address your unique situation.
What kind of cyber attacks are common?
“What types of cyber events are we seeing? Obviously, phishing attacks are coming in and whaling, which is basically a hacker going after a C level executive because they're the ones that probably have access to the most confidential information and data.
The second one is spear fishing and that's where they have a targeted attack. And it could be someone in the accounting field. It could be someone who has access to a particular type of data, such as human resources and personal information.” – Michael
“Someone actually hacked into a business owner's computer, which was left on. That owner had evidently kept all of their passwords saved [on their browser] so that when they were logging into the business banking account, they didn't have to re-enter anything.
When the hacker came in, he started searching around, found where they banked was able to get in and he transferred over $30,000 into another account. It was caught very quickly, but they have not received any of those funds back.” – Ruth
How has the IT industry responded to increasing cyber threats?
“Today we're providing all we did yesterday, but we're adding additional services like endpoint detection and response. We’re doing SIEM where we're collecting log information from all different devices that you may have in your network that collect logs like your firewall or your switches to analyze the activity that's going on.
[At XPERTECHS] we've created a SOC security operations center within our organization. We've implemented MFA multifactor authentication throughout our entire customer set. We offer security awareness training, and also simulation and testing. We can monitor the dark web and identify if your username or your passwords are being used out there on the dark web, if they're available for sale.
Then there's a whole new generation of firewalls that allow us to do a deep packet analysis. So as you can see, the industry is really doing a lot in trying to make sure that we are protecting our client base with advanced security tools.” – Michael
What’s an example of a misconception that business leaders have about cyber insurance?
“I think a lot of my clients, and I would imagine even some of Michael's, probably feel like their cyber losses would be covered under either their business office package or their professional liability, or if they happen to carry a crime policy or a property policy.
Although there could potentially be some very low level of overlap, the risks are not picked up under those types of policies. They would typically fall short because of the lack of depth and breadth that a standalone cyber policy would have a traditional policy won't have access to an experienced claims rep who's used to dealing with the processes involved in a cyber loss.
They would struggle with regard to being able to respond to any type of an incident, because they're just not in that area of expertise.” – Ruth
What does cyber insurance cover?
“It’s really what it can cover, what it should cover, and one of the first things is looking at first party coverage, which is going to protect you the policy holder in the event of any type of a claim, and then there's also third-party coverage, which would refer to damages alleged by clients or other third parties for which you work with, or your entity could still be liable for.
When we look at first party coverages, we think about forensic costs, notification cost, credit protection cost, and then crisis management. And then on the third-party side, we think about the cost associated with a breach of personally identifiable information, and then costs related to the third-party claims, including breach of contract negligent protection of data, network security breaches, the transmission of a software virus. And it goes on and on.
Then there’s business interruption. If something were to happen and you didn't have that access, your business is interrupted and you have a financial loss.” – Ruth
Should any third-party business partner that shares our client data have cybersecurity insurance?
“Absolutely. And when we talk about the application process, a very, very important thing to consider is if anyone that you're doing business with that has access to data that you've been entrusted with. You absolutely want to make sure they have protection and we're seeing it more and more in the industry.” – Ruth
What kinds of questions do you have to answer during the insurance application process?
“They're going to be asking what you do as an organization and how much information are you storing and how much do you process and transmit. They're going to be looking at your information security, your breach history, any type of data backup that you're utilizing, your company policies and procedures, and that can often include staff training and any type of simulation for your staff, so that they're not falling victim to some of these traps that the cyber criminals are putting out there.
There's going to be about whether or not you're complying with the legal and industry standards, if you're utilizing any type of managed data security and who is in charge of overseeing those cyber related matters. And then the end user awareness training and simulation, these are all very important things that are asked of you on that application process.
The more safeguards and processes that you have streamlined and are very clear on and are able to articulate in the event of any follow-up questions will really help get through the process and open up potentially additional markets in the event that you're in a more challenged line of work.” -- Ruth
How can you get the best rates on cyber insurance?
“One of the ways to save money on your cyber insurance, certainly underwriters want to see that you're doing everything possible to prevent an incident. They're looking for you not to have the old standard of firewalls and antivirus software, but they're absolutely looking for you to have in place dual authentication, staff training to avoid phishing, cybersecurity awareness, remote access management, best practices for passwords, dark web monitoring, all of those things are really going to help put you in a better position when you're trying to negotiate these coverages.
Also having valid backups, and not having any previous breaches. Coverage can be viable for folks that have had previous breaches, but they're definitely going to be paying a much higher premium because of that. Having the staff training and the simulation testing, the cyber security awareness, you know, and all of the, kind of the vulnerability scans and all of those things are really going to help when you're trying to conserve premium dollars.” -- Ruth
How does XPERTECHS security services match up to what cyber insurance underwriters are looking for?
We have a product called DEFEND and DEFEND PLUS, which is the next level of cyber security protection. Along with the basics, DEFEND includes anti-phishing simulation training and testing, advanced endpoint detection and a TDR (Threat Detection and Response) solution.
We do vulnerability testing on either a quarterly or semi-annual basis where we're actually penetrating the network and both internally and externally to try to see if we can find any holes that might exist in that network. We're going to provide dark web monitoring so that we can alert you if we see any of your credentials that are being hosted out on the dark web and we offer a hard drive destruction service with our recycling efforts.
Then we have an additional layer which we call DEFEND PLUS. This is really used more for our financial clients and some of our medical clients that need a higher level of security. And here we're doing things like, multifactor for both VPN, as well as RDS [Remote Desktop Services] that access the network. We're doing cloud backup services. And, we're also providing SIEM, which is collecting those logs and actually having someone monitor those logs and alerting us if they see any activity.” – Michael
DEFEND and Protect Your Data and Your Business
Because no one can guarantee that you will never experience a cyber attack, the ultimate goal of cybersecurity is to be resilient. Being resilient means that you have the capability to pivot when circumstances change, and bounce back if you have a data breach.
If you’re not confident that your current IT provider is covering all the bases when it comes to security, contact us for a free consultation. We’ll help you explore where you’re strong, and where you have gaps so that you can make informed decisions that can help you get the best rates on cyber insurance and ultimately protect the very survival of your business.