Cyber Insurance: Here Are 10 Pitfalls To Avoid
With the continued onslaught of cyber attacks against businesses, the cyber insurance market is expected to grow into a $20 billion industry by 2025, according to some forecasts.
With the continued onslaught of cyberattacks against businesses, the cyber insurance market is expected to grow into a $20 billion industry by 2025, according to some forecasts.
In a recent and compelling webcast about cybersecurity insurance as part of an organization's security strategy, IT leaders experienced in the process discussed the pitfalls that can occur when implementing cyber insurance policies.
The discussion — featuring John Regula, CIO for Bucks County, Pa., and Jack Thompson, information security architect for the Indianapolis Colts — delved into what IT leaders need to know when contemplating cyber insurance. It was hosted by Adam Dennison, vice president of Midsize Enterprise Services (MES) at The Channel Company, parent company of MES Computing.
One of the most important considerations when it comes to cyber insurance is to "think about what you need to cover, why you need to cover, and limitations of coverage," Thompson said at the start of the webcast.
The conversation then turned to the pitfalls that can arise with cyber insurance. Here's a roundup of some of those pitfalls (for more information on avoiding the common and not-so-common pitfalls when selecting cyber insurance, view the entire webcast by logging into or joining the MES IT Leadership Network.
Here are 10 cyber insurance pitfalls to avoid:
Cyber Insurance: Here Are 10 Pitfalls To Avoid
With the continued onslaught of cyber attacks against businesses, the cyber insurance market is expected to grow into a $20 billion industry by 2025, according to some forecasts.
Pitfall 1: Disclosing your insurance carrier's details to an attacker
If bad actors know an organization has cyber insurance, that may increase ransomware demands.
"One of the first things a ransomware demand will ask you for is payment," Regula said. He cautioned the attackers may also ask for specifics about your insurance carrier.
But telling an attacker who the carrier is may be a violation of your insurance contract.
"Based on your policy your cybersecurity team should not respond without feedback from leadership," Regula said.
Cyber Insurance: Here Are 10 Pitfalls To Avoid
With the continued onslaught of cyber attacks against businesses, the cyber insurance market is expected to grow into a $20 billion industry by 2025, according to some forecasts.
Pitfall 2: Not defining who is in charge of payment negotiations in cases like ransomware demands, for example
Who oversees payment demand negotiations? Your company or your insurance carrier? That is an important distinction to make when adopting a cyber insurance policy.
"I would like to retain the right to be able to go and have the negotiations if we decided that payment might be in our purview," Regula said.
However, Thompson said that with his organization's cyber policy, "we are actually required to turn over negotiations" to the insurance carrier and that the carrier will negotiate on the company's behalf.
Thompson said that his organization has a "data breach coach," someone who has been identified by their insurance carrier to negotiate on behalf of the company.
Regula agreed with the idea of a breach coach and said it's "important to establish a rapport with a breach coach" before a security incident occurs.
Cyber Insurance: Here Are 10 Pitfalls To Avoid
With the continued onslaught of cyber attacks against businesses, the cyber insurance market is expected to grow into a $20 billion industry by 2025, according to some forecasts.
Pitfall 3: Not looking into a remediation service
Some cyber insurance carriers require organizations to retain a remediation service, Regula said. These services can help companies minimize business disruptions after a security breach; help them create a proactive security plan; and help fill in security gaps in a company's network.
"You're not just buying cyber insurance, you're buying computer services," Regula said.
Cyber Insurance: Here Are 10 Pitfalls To Avoid
With the continued onslaught of cyber attacks against businesses, the cyber insurance market is expected to grow into a $20 billion industry by 2025, according to some forecasts.
Pitfall 4: Not taking hidden costs into account
Insurance carriers often require organizations to have specific security measures in place before they can purchase a policy - including annual penetration tests, Privilege Access Management (PAM) solutions - and other security requirements, Regula said.
Hidden costs can include "manpower to implement PAM solutions … getting a penetration test completed and then remediating on that penetration test," Thompson said.
Regula said that any cybersecurity requirements may also have to extend to any third-party vendors.
Hidden costs aren't also just about dollars, but the "added human resources to get some of these things in place," Thompson added.
Cyber Insurance: Here Are 10 Pitfalls To Avoid
With the continued onslaught of cyber attacks against businesses, the cyber insurance market is expected to grow into a $20 billion industry by 2025, according to some forecasts.
Pitfall 5: Not understanding the contract period
Most cyber insurance policies require both a security breach incident and the reporting of it to happen within the policy's contract period.
"A policy year is not really a policy year of coverage," Regula said. It's important for IT leaders to understand the contract period terms when shopping for cyber insurance.
Also, if changing insurance carriers, Regula said it's a good idea to look into "tail coverage" - which can protect an organization's claims in case a security policy contract has ended.
Cyber Insurance: Here Are 10 Pitfalls To Avoid
With the continued onslaught of cyber attacks against businesses, the cyber insurance market is expected to grow into a $20 billion industry by 2025, according to some forecasts.
Pitfall 6: Making misstatements on a cyber insurance application
Regula and Johnson said not being upfront about your security infrastructure when applying for insurance is a no-no.
"Coverage can be denied if [the application] contains misstatements - answer as truthfully as possible," Regula said.
Thompson agreed. "If you're asked do you encrypt data at rest and you're not leveraging that or something similar, you should probably answer ‘no," he said.
Regula also said he views the application process as a positive.
"I like filling out security applications because I use them as ammunition to improve our security posture and to further drive security initiatives," he said.
Cyber Insurance: Here Are 10 Pitfalls To Avoid
With the continued onslaught of cyber attacks against businesses, the cyber insurance market is expected to grow into a $20 billion industry by 2025, according to some forecasts.
Pitfall 7: Not being aware of any 'war exclusion'
With high-profile conflicts currently occurring around the world, cyber warfare is often used by nations and groups during physical war.
Coverage for cyberattacks related to physical conflicts may be excluded from an insurance policy, Regula said.
With such exclusions, "your cyber policy may not be as strong as you think it is, so you need to make leadership aware of that," he added.
Cyber Insurance: Here Are 10 Pitfalls To Avoid
With the continued onslaught of cyber attacks against businesses, the cyber insurance market is expected to grow into a $20 billion industry by 2025, according to some forecasts.
Pitfall 8: Not reviewing riders
Regula stressed the importance of reviewing insurance riders.
"Will you get paid over things like business interruption, data loss, customer notification, errors and emission … do you have the correct set of riders?" he said. Riders can "make or break your policy," he said.
Thompson said his team took a series of steps to ensure they had the current riders and appropriate insurance policy.
"One of the things that we did to determine what our coverage should be, [was] looking at the different areas of revenue within the organization and boiling it down to what we make in 24 hours," he said.
He said they then performed threat modeling to gain insight into the likelihood of a security incident taking place.
They wanted to determine what "was the tolerable limit for us" in terms of being hit with a security breach.
Thompson said they tied those limits into their actual insurance plan and into the riders to "make sure we are covered for the specific use cause or issue we've identified within that disaster recovery and business continuity process."
Cyber Insurance: Here Are 10 Pitfalls To Avoid
With the continued onslaught of cyber attacks against businesses, the cyber insurance market is expected to grow into a $20 billion industry by 2025, according to some forecasts.
Pitfall 9: Not understanding how notifications should be handled
Insurance carriers may exclude costs incurred before notifications are made about a security incident.
"All the time and loss before notification of the carrier is non-recoverable on most contracts," said Regula. "Once you go through your process and realize a security event has happened, notification needs to happen. And who need to be involved: leadership the public, the government --- this needs to be worked out," he said.
Cyber Insurance: Here Are 10 Pitfalls To Avoid
With the continued onslaught of cyber attacks against businesses, the cyber insurance market is expected to grow into a $20 billion industry by 2025, according to some forecasts.
Pitfall 10: Not knowing your net presence score
It's vital that organizations have a grasp of their net presence score.
"You have to maintain that net presence score throughout your insurance term," Regula said.
"If you change your website or if you change your public presence and you now have a different score for a time," that may impact your ability to retain coverage using a security incident, he said.