Cyber Insurance is the Last, not First Step in Risk Mitigation

In the world of risk…specifically risk mitigation, cyber insurance is the last chapter in your cybersecurity playbook.  Let me explain:  The goal of any security plan is to mitigate (stop or reduce) threats as much as possible.  In a network, that means layered tools (firewall, anti-virus, backups), etc., along with policies, user education and other techniques.  After implementing these active threat stopping and deterring steps, and therefore reducing your threat landscape to the lowest possible point (for your particular business needs), then employ a cybersecurity policy to transfer the remaining risk to an insurance company. 

The details:  Cyber insurance can be a benefit when disaster strikes, but a common misconception is that it can help mitigate risk. Cyber insurance alone is not an acceptable form of risk transference. While it is one of the needed layers in ensuring you are mitigating risk, protecting your networks, and protecting your client data, many steps should come before purchasing cyber insurance. These steps also help ensure that when there is an incident, you are in compliance with the cyber insurance requirements needed to qualify for coverage. Let us take a moment to understand why.

Organizations that do not fully understand the cyber threats their company faces end up purchasing insurance coverage that does not cover their organization’s specific risk. Current coverage types can include the following first party coverages*:

• Theft and fraud
• Forensic investigation
• Business interruption
• Extortion
• Computer data loss and restoration

These are in addition to third-party coverages* that can include:

• Litigation and regulatory costs
• Regulatory response
• Notification costs
• Crisis management
• Credit monitoring
• Media liability

Each of the above coverage sections are specific and can be complicated. If you have not defined your cybersecurity needs, understand the risk, and have a plan to mitigate the risk, you may pay for coverage that does not mitigate your organization's risk. Additionally, cyber insurance policies have requirements that certain controls and client procedures must be in place prior to coverage. Cyber insurance policies typically have statements that exclude losses or claims that are attributed to dishonest practices or criminal acts, contract breach, theft of trade secrets, unfair trade practices, and employment practices.

These could include:

• Malicious attacks conducted by insiders, such as employees or IT staff
• Failure to meet institution compliance requirements similar as those imposed by the Gramm-Leach-Bliley Act (GLBA)
• Failure of your business partners to protect data entrusted to them

Organizations that fail to implement and enforce cybersecurity measures could void any cyber insurance coverage and leave the organization open to accusations of gross negligence. Cyber insurance underwriters typically ask for copies of current risk assessments or proof of cybersecurity policies and practices. Typical questions from insurance providers cover areas such as:

• Has your organization implemented cybersecurity policies and procedures?
• Has your organization implemented risk assessment activities that cover:
  • Current cybersecurity threats to the organization
  • Cybersecurity incidents as they arise
  • Cybersecurity incidents as new systems are implemented or changes to business processes made
• Does your organization have an assigned individual who oversees, and is accountable for, cybersecurity?
• Does your organization have threat monitoring and log correlation systems or activities?
• Does your organization have a cybersecurity awareness training program for your staff?

These are just a few of the example questions that most cyber policies ask. An organization that implies any of these requirements are met, when in fact they are not, can lead to voided coverage from the start of the cyber insurance policy term.

In short, cyber coverage provides you with a component to fill gaps in your current cybersecurity practices and to mitigate the impact of accepted risks. Cyber insurance does not provide valid coverage for organizations that forgo the implementation of current industry best practices.

To better understand your risks and determine if cyber insurance coverage is a good fit for your organization, work with your company’s designated cybersecurity consultant. If you do not currently have a consultant, the experts at EDTS Cyber are ready to help.