Read This Guide Before You WASTE YOUR TIME Talking To Cyber Insurance Carriers
What do you know about cyber insurance? Do you know whether you need it? Is it included in your general coverage? If not, can improved cybersecurity qualify you for better coverage or even lower premiums?
Cybersecurity insurance is protection designed specifically to help cover the potentially massive expenses associated with a data breach. It can be a worthwhile investment, so long as you know how it works.
After all, 84% of organizations have a cyber insurance policy right now—what are you waiting for?
What Is Cyber Insurance?
Cyber insurance is a type of stand-alone coverage. It’s designed to help businesses cover the recovery costs associated with any kind of cybersecurity incident, including:
- Business interruption costs
- Forensic analysis to identify the attack source
- Ransom demands and negotiations
- Costs to regain access or restore data
- Legal costs
- Public relations services
- Notification of clients and/or regulatory bodies
- Credit monitoring services for affected individuals
Types Of Cyber Insurance
Breach And Event Response Coverage
A very general and high-level form of coverage, this covers a range of costs likely to be incurred in the fallout of a cybercrime event, such as forensic and investigative services; breach notification services (which could include legal fees, call center, mailing of materials, etc.); identity and fraud monitoring expenses; public relations and event management.
Given that a range of organizations (such as The Securities and Exchange Commission, the Federal Trade Commission, the Department of Homeland Security, and more) have a hand in regulating aspects of cyber risk in specific industries, there are usually costs that come with defending an action by regulators.
This covers the costs of insufficient security or “human error” that may have led to a privacy breach. Examples may include an employee losing a laptop or e-mailing a sensitive document to the wrong person.
This type of coverage protects the policyholder and any insured individuals from the risks of liabilities resulting from lawsuits or similar claims.
Put simply, if you’re sued for claims that come within the insurance policy’s coverage, then this type of coverage will protect you.
This type of cybercrime event is generally a form of a ransomware attack, in which a cybercriminal keeps encrypted data inaccessible (or, alternatively, threatens to expose sensitive data) unless a ransom is paid.
Coverage of this type addresses the costs of consultants and ransoms, including cryptocurrencies, for threats related to interrupting systems and releasing private information.
Why Are Businesses Investing In Cyber Insurance?
Research by Advisen and Partner Re shows why businesses are investing so heavily in cyber insurance:
- News of cyber-related losses experience by others (66%)
- Experience of a cyber-related loss (62%)
- Board or senior management demand (42%)
It should also be noted that cyber insurance is relied on most often in the wake of a ransomware attack, as reported by 32% of those surveyed.
Is Cyber Insurance Worth The Investment?
So long as you manage your cybersecurity and your policy correctly, then, yes, cyber insurance is a worthwhile expense for modern businesses.
According to Sophos, 95% of surveyed businesses with a policy were covered by their provider after being infected with ransomware.
Does Cyber Insurance Offer Complete Protection Against Cybercrime?
A common misconception is that a cyber insurance policy is a catch-all safety net, but that’s simply not the reality.
Without a comprehensive cybersecurity strategy, a business may not qualify for a policy in the first place. Furthermore, in the event of a hack, a business may not qualify for full coverage if their cybersecurity standards have lapsed or if it can be found to be responsible for the incident (whether due to negligence or otherwise).
The core issue is that as cybercrime becomes more common and damaging, insurers will become more aggressive in finding ways to deny coverage. It’s in the interest of their business to pay out as little and as rarely as possible, which means the policies will tend to rely on a series of complicated clauses and requirements that covered parties have to comply with.
A key example is when Mondelez International was denied coverage for the $100 million of damage they incurred from the NotPetya attack. Their insurer, Zurich Insurance, cited the obscure “war exclusion” clause, claiming that Mondelez was a victim of a cyberwar.
This is not an isolated incident. As discovered by Mactavish, the cyber insurance market is plagued with issues concerning actual coverage for cybercrime events:
- Coverage is limited to attacks and fails to address human error
- Claims are limited to losses that result directly from network interruption and not the entire period of business disruption
- Claims related to third-party contractors and outsourced service providers are almost always denied
All this shows why business owners need to look carefully at the fine print of their cyber insurance policy and ensure their cybersecurity standards are up to par. No one should assume they’re covered in a cybercrime attack—after all, for every $1 million paid in premiums, insurance companies only pay out $320,000 in claims.
Is Cyber Insurance Easy To Buy?
Not necessarily—as cybercrime has become more common and ransomware costs have become steeper, cyber insurance carriers have become hesitant to provide coverage as widely as they did even a few years ago.
After all, these carriers need to continue to make a profit, which they won’t be able to do if they keep paying out massive ransoms on behalf of their clients. Many insurance providers have begun drawing a clear line between normally covered losses and those incurred by cybercrime-related events.
That means that if your cybersecurity doesn’t meet the standards of your insurance provider, you may not be as well covered as you think. Or, you may not even qualify for coverage in the first place.
Keep in mind that your cyber insurance provider will ask many questions about your cybersecurity standards to ensure you’re worth covering.
35 Questions Your Cyber Insurance Carrier Is Going To Ask…
- Does your business have a policy against opening unverified email attachments?
- Does your business keep malicious and spam emails out of staff inboxes?
- Does your business double-check email attachments before they are delivered?
- Does your business have an email threat protection solution in place?
- Does your business have an endpoint protection solution in place?
- Does your business use an Endpoint Detection & Response (EDR) solution?
- Does your business use multi-factor authentication (MFA) or Two-Factor Authentication (2FA) on all user accounts?
- Does your business test cybersecurity standards with regular vulnerability scans?
- Does your business prohibit incoming connections using hardware and software firewalls?
- How many users have local administrator rights enabled?
- Do you have a content filtering solution?
- Does your business monitor traffic into and out of the network?
- Do your staff members have access to a password manager?
- Are admin accounts tracked and monitored to limit and log access?
- Have you recently tested backups of all mission-critical data, applications, and configurations?
- Do you have encryption for backups (both at rest and in transit)?
- Do you store backups on and offsite?
- Do an air-gap, and separate authentication mechanisms protect your offsite backups?
- Does your business use a cloud syncing service? (e.g. OneDrive, DropBox, SharePoint, Google Drive)
- Is your cloud data backed up?
- Can staff members access business email on their personal devices?
- Can staff members send or receive PII, ePHI, or PCI data through business email?
- Do you have an email encryption solution in place?
- Is your staff regularly tested and trained on phishing and other social engineering attack vectors?
- Do you have a log aggregation solution in place?
- Do you have a Security Incident and Event Management (SIEM) system in place?
- Do you have an update and patch management system in place?
- Does your business monitor its network 24/7?
- Do you work with a third-party IT company?
- Do you rely on a third-party Security Operations Center (SOC)?
- Is all data encrypted (at rest and in transit)?
- Does your business have a documented policy for addressing unsafe conduct by employees?
- Is your business compliant with applicable regulations and standard systems?
- Do you have a policy limiting employees’ access to business data to resigning or terminated employees?
- Do you have a Mobile Device Management policy to limit risks posed to business data by your employees’ personal devices?
Do You Need Cyber Insurance?
You may not be required by the law to have cyber insurance. However, depending on the industry, certain compliance regulations recommend it. Cybersecurity insurance policies are offered by a variety of insurers, and policy prices and exclusions vary widely among different providers.
It’s virtually a certainty that you’ll need cyber insurance in one form or another at some point, which is why it’s wiser to invest now. At the very least, you should get a quote on a policy so you can make a properly informed decision.
Qualifying For Cyber Insurance Starts With Your Cybersecurity
In light of the challenges facing the cyber insurance market, providers are focusing increasingly on managing and reducing risk. Effective cybersecurity can help you reduce your cyber risk, which, in turn, makes you a more attractive prospect for cyber insurance coverage.
You should start by deploying advanced, next-gen protection. Having robust security solutions and correctly deployed will reduce your cyber risk.
At this point, it’s essentially a prerequisite to secure cyber coverage, with managed detection and response (MDR) services, the endpoint or extended detection and response (EDR/XDR) technologies, and next-gen endpoint protection is the most common requirements.
Furthermore, you’ll also want to implement multi-factor authentication, which is usually required to secure coverage. It’s so simple and effective a security measure that almost all carriers require it.
Lastly, make sure you consider business continuity. Preparing in advance is the best way to stop a cyberattack from turning into a full breach. Often, after an organization experiences a breach, they realize they could have avoided a lot of costs, pain, and disruption if they had an incident response plan.
A detailed plan that enables you to minimize the impact of an incident will reduce your cyber risk, making you a more attractive prospect to insurance providers. This is precisely the sort of project we (and our industry-leading partner Sophos) can help with…
Need Help Qualifying For Cybersecurity Insurance?
Meeting the stipulations by cybersecurity insurance providers may not be easy, depending on your cybersecurity posture. Alliance Technology Partners can equip you with a range of Sophos solutions to help you improve your approach to cybersecurity.
Our team provides cybersecurity and technology services for businesses like yours—we are available to help you develop a robust cybersecurity defense. We can ensure you qualify for a policy and minimize the chance that you’ll have to claim your cybersecurity insurance.
Get in touch with our team to get started.