Cyber Security: Clearing the fog around cyber insurance policies

By Carl Mazzanti

Cyberattacks against all classes of companies are rising. While cyber defenses continue to be the No. 1 deterrent to bad actors, many companies are also looking into cyber insurance as a kind of “Plan B.” But will all firms be able to get coverage?

Insurance can be a good idea, since the threat from individual and nation-state bad actors extends beyond traditional ransomware. In one case, a business’ employee inadvertently transmitted a digital virus to customers and suppliers, and the company was sued for more than $3 million for failing to take appropriate action. Another time, an email that appeared to be from a long-standing vendor advised a company to update banking information for its account. Believing the request to be legitimate, the company did so and promptly transferred more than $200,000 to the fraudster.

The U.S. Small Business Administration says 88 percent of the small business owners it recently surveyed feel vulnerable to a cyberattack, perhaps an even higher level of concern than with larger organizations because smaller firms have fewer resources than bigger ones to defend themselves.

Even as more firms investigate buying protective policies, however, insurers are getting antsy about providing such coverage. Global insurance giant AXA, for example, was the first to declare it would no longer provide coverage for ransomware payments demanded by hackers. And more insurers are closely scrutinizing requests for new policies or renewals for existing ones. Your firm, though, can take some steps to increase the odds of qualifying for critical cyber liability coverage.

First, look beyond basic protection

Cyber insurance policies may offer more than just liability protection, so it is important to carefully review new or existing policies. Some may cover legal costs, in addition to such expenses as forensic analysis, data restoration, and communications related to a breach.

But many insurers are asking tough questions before extending or renewing policies. Some require policyholders to institute certain basic security safeguards. Other insurers may charge coinsurance to protect themselves against their exposure to excessive liability, or limit damage payment to a percentage of the loss incurred.

To increase the odds of getting approved for a good policy, firms should consider implementing a layered approach to their cyber defense strategies. At a minimum, an insurer will likely want proof you have a significant first-line defense against a security breach, such as multi-factor authentication (MFA). An MFA-protected email or other system, for example, goes beyond a single password, and will require at least two methods to establish identity before a user is allowed access, such as a password and a verification code texted to a mobile device.

Increasingly, insurers are also evaluating an applicant’s information management methods and other aspects of their entire operations. They will consider your firm’s vulnerabilities, and how you are trying to reduce your exposure to hackers.

So, before you apply for a renewal or for a new policy, do your own review:

__  Does your firm acquire and retain personally identifiable information, like Social Security numbers or medical records? If you do, are appropriate security measures in place, and are you complying with regulatory requirements applicable to the protection of sensitive personal information?

__  More employees are working remotely. This can enhance employee retention and efficiency, but it can also make a hacker’s job easier. Are remote and hybrid employees using secure computers, with the latest anti-virus and other defenses installed? Are your desktops, laptops, and mobile devices protected by MFA, and is the data stored on them encrypted? Are they (and any software installed on the units) configured so they automatically install manufacturer patches or other updates?

__  Does your firm have rules about device use? Are there policies (monitored and     enforced) prohibiting the use, for instance, of a work-issued device for MMO (massively multiplayer online) games, which are often hotbeds of viruses and other threats?

__  Is access to data restricted, or more freely available? Sensitive information should be segregated, and access should be on a need-to-know basis. Your sales department, for example, should not have access to bank accounts, R&D, or accounting files.

 

Take a layered approach to cyber security

Your insurer will want to know whether you have developed plans in case of a breach. Are your files being backed up consistently, and are the backups isolated, so they will not be corrupted or infected by a cyber breach? Are there written guidelines in place for these and other procedures?

Are you routinely training employees on ways they can protect against cyber breaches? Firms that have formal employee training sessions two or three times a year, along with testing, will be more secure than those with less rigorous policies; and insurers will be more comfortable with these more diligent firms. To ensure that training and testing is up to date, you can work with a managed IT services provider who is expert in this kind of customized training. Look for a partner that offers expanded programs covering email and other firm assets. The cyber security provider should also offer penetration testing to identify employees who are clicking on unsafe links or engaging in other risky digital behavior.

You can expect your insurer to question your organization’s activities across a variety of operations. Thus, as you review your policies and procedures, get input from different departments, including accounting, IT, and other employees.

Doing an early review, well before you apply for a policy or a renewal, makes you more likely to be approved for coverage. And taking proactive steps will also place you in a better position when the time comes to negotiate terms and pricing of coverage. But do not be in a rush to sign a policy – carefully study the terms, since an easily missed gap or shortfall in coverage can leave you hanging after a cyber breach. A cyber security managed services provider may be able to provide a qualified policy analyst or suggest one that can do a thorough review.

The bottom line

No company, firm or organization is too small to be attacked by a cybercriminal. Experience has shown it is not a matter of whether a company of any size will be the target of a breach but, rather, when it will occur. If you plan carefully, though, and have a comprehensive, coordinated defense system in place, with good insurance coverage as a backup, you will be in a better position to mitigate any cyber liability damages.

 

Carl Mazzanti is president of eMazzanti Technologies in Hoboken, N.J., providing IT consulting services for businesses ranging from home offices to multinational corporations. The company can be contacted at: 866-362-9926.