Leaders of MSPs have been asking me: what are the gotchas when it comes to cyber insurance. With more focused attacks on clients now—especially with transitional periods to and from work-at-home states, cyber insurance is and should be an issue that business owners are thinking about right now. To that end, I put together 5 simple steps in choosing the right cyber insurance policy to make sure there aren’t any gotchas, ‘not-covered’s, or unexpected consequences to choosing the wrong policy.
Step 1: Know Your Risks
Identify Common Cyber Exposures Cyber risk can take many forms in a modern organization, and trying to comprehend the various ways your company is subject to cyber risk, which may be privacy liability exposure, legislation, or even contractual clauses in business-to-business contracts outlining consequences of a data breach.
Operational risk is a reliance on technology. What are the operational risks or exposures to you, your team, and your suppliers and supply chain? Consider everyone in your ecosystem and the impacts on your operations when considering your technological risks. How much or little will you need if you or one of your suppliers were affected by a cyber incident?
Step 2: What Is Your Level Of Need
Take a careful look at the technologies you rely on and how vulnerable they are to attack. You must understand when, where and why you need coverage in order to avoid gaps that could cost you in the event of an event. Here are some areas you might need coverage:
Network security, including hardware and software
Incident response in the wake of a data breach
Insurance for lost or stolen laptops and mobile devices
Business interruption as a result of a cyber event
Coverage for types of cyber extortion like ransomware
Crisis management and public relations
Losses in 3rd party systems
Forensic investigations
Step 3: Evaluating Your Plan
What Is In A Typical Plan? Typical coverage consists of the following components:
Privacy Liability—theft, loss and unauthorized disclosure of confidential information
Network Security Liability—Unauthorized access or use of computer systems; denial-of-service attack against computer systems; infection by malicious code or transmission of malicious code
Data Breach Expenses / Privacy Breach Response Services – such as:
Computer forensics
Expenses to comply with privacy regulations – including notifications
Voluntary notifications
Public relations firm / crisis management firm
Legal services
Credit monitoring
Regulatory Defense and Penalties
Network Extortion
Loss of income coverage
Payment Card Industry (PCI) Fines, Expenses and Costs
Website Media Content Liability
Step 4: Look Explicitly At The Exclusions
Common ones that I see in policies:
Exclusions in the policy that pertain to your business practices.
What territory the policy covers, eg. region, nation, or globe.
Does the policy contains broad or specific triggers for coverage.
Are vendors covered? The interconnectedness of business today may mean that your company may be exposed to threats originating in another organization. Some policies exclude broad coverage for third parties.
Is social engineering covered? Often, I see a summary of coverage that lists a "social engineering exclusion." These social engineering exclusions can encompass phishing and sometimes even ransomware. But if you only have the summary of coverage without the related definitions, you won't know what may or may not be covered.
Step 5: Negotiate Terms Before A Breach
There might be certain things—such as specific security providers—that you expect to use in the event of a breach or attack. Depending on your negotiated policy, the insurance company might assign you providers.
Bottom Line: If you’re at all concerned about having a second pair of eyes on your cyber policy, it’s probably for a reason. Most policies include at least some of the language mentioned above to give them an out from paying on claims. Best to be careful than sorry.
