We all know that cyber threats are not going away anytime soon.
People are worried and not sure what to do. Many sign up for cyber policies because they know that they need something, but deep down what I’m finding is many business owners aren’t informed on what is really needed in a policy.
They know that they want to transfer some of their risk to someone else. But in the event of a cyberattack occurring, they are not making sure they have the controls in place that will make the insurance policy binding.
Most MSPs and many IT departments I’ve worked with to correct security process, technology and establish an organization-wide culture of cybersecurity, initially had cyber policies that in practice required good hygiene across their technical teams (even though those exact words were more implied in their policies rather than explicitly stated.
Cyber insurance has been around for over 20 years, in the past couple of years the industry has boomed—from a paradigm shift in how we as technical workers perceive threats and handle risks around those threats. I suspect that cyber insurance will continue to see a surge of business going forward, especially as attacks become more commonplace, technology becomes increasingly intertwined in business processes and laws regulating various industries.
The problem with much of cyber insurance coverage is the insurance company relies on your assessment of risks to evaluate your premium pricing. In most cases, MSPs and IT departments I work with over-estimate the level of controls in place in their businesses to avoid attacks, especially around their ability to prevent, detect, investigate and report a breach in a timely manner.
For today, I want to focus on different common provisions in a policy to help you understand your coverage.
You see, once you identify the amount of coverage you want to purchase, you really need to consider specific provisions within your policy to ensure that your business (or that of a client) can reasonable address your risks.
What type of information is covered?
Often a policy will define the types of information that will be covered. In many cases, personal information is explicitly defined. This might mean that client data and other information you might see as critical might not always be considered in a policy. In addition, the policy might exactly define what it considers confidential information covered by the policy. Make sure you are on the same page with the interpretation of what is covered. This will be critical in closing gaps in your security stack to ensure that your risks related to data are covered one way or another.
What are the minimum security requirements to protect your computer network and data?
This question is critical to both evaluate your network and those of your clients. As I have mentioned before, many policies will evaluate what your IT company agrees to as a minimum service delivery to their clients. For example, your contract will likely include a statement guaranteeing that antivirus will be applied and updated on all machines on the network. In the event of an attack—even an attack involving wire fraud—a claim might be denied if the insurance provider finds problems with minimum service delivery, such as antivirus that either was not applied or updated to even one computer (even a computer unrelated to the incident!).
Be sure to ensure that you have your basic security implemented as expected (this will save headaches and regret later).
What devices are covered?
Right now, this is a hot topic. Are computers and servers owned by the company the only devices covered? What if you have a client or someone on your team must work remotely on their home machine, will the policy cover an incident triggered by an event caused by a personal machine? What about mobile devices? What about for personal devices brought into the office (BYOD)? If you and your team are not clear about what may or may not trigger a denial based on device usage on your network, you may risk having a claim denied.
What if a vendor caused an attack?
Will your insurance provider fulfill a claim based on damages caused by another vendor? In the event of a breach to your cloud infrastructure, for instance, a cyber insurance company might exclude any infrastructure not defined in your policy. This is especially true if a vendor is housing your data on their network.
What about timing for reporting a claim?
In many instances, policies are very clear how much time you must report a claim from whence it was discovered. Do you know how quickly your policy requires a claim be reported? Whose knowledge of a breach is used to determine whether a claim has been reported past the date? Today, these are major considerations you need to think about when figuring out your response plan! Remember, you are trying to have your cyber policy close your risk gap from the controls you must ensure your people, processes and technology are protecting the data on your network.
A Few Last Words…
As criminals are finding new ways to break into computer systems, whether through socially engineering their way in or finding technical problems with your network, you will face increased risk of loss and damage from having imperfect technology or team mistakes or processes that don’t quite keep everything secure.
What I want you to think when evaluating your security is figuring out if a breach or attack were to happen on your network, what the ‘what if’s’ might be. That is where insurance can help out transferring what if risks.
