Contractual requirements from third-party suppliers and funders as well as regulatory changes mean CFOs are increasingly being asked, “What are you doing to ensure the company can withstand the financial impact of a breach?”
A typical response: “We rely on insurance policies, such as general liability and errors-and-omissions coverage, to help reduce risk.”
Unfortunately, despite multiple court cases, attempts to have breach-related costs covered by these policies have failed. A successful attack can be devastating, especially for small businesses. Don’t assume standard insurance will protect you.
Cybersecurity insurance, which is specifically designed to address data-breach-related expenses including forensic investigations; monetary losses, such as for ransom payments, a key purchase driver; customer and supplier notifications; and ensuing lawsuits, may seem like the solution. A recent report by credit rating agency A.M. Best said direct premiums written for both standalone and packaged cyber policies grew about 12% in 2018, up from $1.8 billion to $2.0 billion.
Is this insurance right for your company? Here are important considerations.
Regulators do not mandate cyber coverage, but many third-party contracts now routinely require some form of cybersecurity insurance for partners within the supply chain, with the goal of lowering the cost to the vendor for performing breach investigations.
Suppliers are getting much more diligent about asking for proof of insurance each year. If you are a link in a supply chain, ensure the CIO or CISO and legal team carefully and regularly review insurance requirements related to your suppliers, customers and regulatory bodies.
It’s likely at least one partner requires an up-to-date cybersecurity insurance policy.
Despite these packages being widely marketed, historical information on how they perform in the real world is relatively sparse. One thing, however, is clear: If you don’t follow policy requirements exactly, you will not be covered.
Every cybersecurity insurance policy requires your organization to meet a minimum set of expectations regarding common IT processes, such as asset inventory, patching, vulnerability management and incident response. Do not just check the boxes because you assume IT is on top of it. If you do not have written policies, if you do not formally track patching processes and metrics, if you have not performed an incident response tabletop exercise, guess what? You will not be able to prove you are doing what the provider requires to reduce risk.
When a breach does occur, if you can’t readily provide documentation, your claim will likely be denied.
For example, say you attest that “encryption is strictly enforced on all laptops authorized to contain customer data.” If the CIO can’t prove that disk encryption was enabled on a stolen PC containing confidential customer information, you’re out of luck. Remember, IT won’t have the laptop in question. How will you prove that encryption was installed and running?
Similarly, you might need to agree that your organization “scans monthly for known vulnerabilities.” But if IT actually runs scans ad-hoc or not at all, and your organization is hacked via a known security flaw, you will not be covered. Note that truly unknown zero-day attacks account for a small percentage of successful breaches.
Your IT team can’t just talk the talk, they need to have mature processes in place. But in my experience, many don’t.
If you are deficient, answer honestly. Your premiums may go up, but that’s better than not getting the payment you’re depending on during a time of need. Alternatively, use the purchase as an opportunity to improve your security posture. Many insurance carriers offer free or low-cost services to help.
I have seen terminology variances lead to policies not covering what organizations thought they did. The primary place I see confusion with CFOs is the difference between first-party and third-party coverage.
First-party coverage includes costs directly related to your organization’s handling of a breach, items such as customer notification, business interruption and forensics fees. Third-party covers claims related to losses to your customers or vendors due to your breach. Many vendors require third-party coverage for their contracts, but your organization needs both!
Furthermore, IT terms are used differently by different providers. As your organization compares policies, keep in mind that one issuer’s required elements of a risk assessment may not be the same as another’s. Your standard practices may be perfectly acceptable for one provider but not good enough for another. Before launching an expensive overhaul of security policies, shop around.
If you have not shopped for cyber insurance, the bad news is, it’s more expensive than you expect. There’s not enough historical data to help actuaries assess likely breach costs, so providers are charging high premiums to make sure they won’t lose money.
In addition, there is no standard cybersecurity policy. Everything is modular and based on your organization’s maturity. Comparing policies from various providers can be difficult, and if you don’t select the right options, you may not get the coverage you need.
Spend time walking through scenarios — the closer they mirror your incident response tabletop exercise, the better. If you or anyone within your IT or security team is confused, stop. Make sure you understand every nuance before writing a check.
Keep in mind that these policies are not a replacement for a full set of technical controls. Most policies do not cover reputation damage or the cost of your IT organization identifying the problem, executing a response and continuing to operate the business during the breach — something most organizations never test or plan for.
So, should you have a cybersecurity insurance policy? My general recommendation is a resounding “YES!... But.”
If your organization is not mature enough to execute on the minimum requirements for a comprehensive policy, spend the money there before paying premiums.
Shop around. The top cyber insurance providers are Chubb, Axa US and AIG, with the top policy writers being Hartford, Liberty Mutual and Farmers. There is not much distinction in the coverage you can get from each; however, their processes, in terms of evaluating and assessing your risk, are very different. I recommend sticking with a top-tier provider, even though it may demand more mature IT processes and security policies versus a new or niche insurer. I believe a rising tide lifts all boats, and the work IT does to meet a blue-chip insurer’s requirements will pay dividends in your third-party supplier and regulatory relationships.
And of course, adherence to cybersecurity insurance requirements is also a useful mechanism for CFOs to gain some oversight into how your IT organization addresses risk. That’s now a board-level discussion.
Michael A. Davis is CTO of GoSecure, which provides a predictive endpoint detection and response (EDR) platform. He was previously Senior Manager, Global Threats for McAfee. Aside from his work advancing cyber security, Mr. Davis has been a partner in diverse entrepreneurial startups; held a leadership position at 3com; managed two Internet service providers; and recently served as president/CEO of the InClaro Group, a firm providing information security advisory and consulting services based on a unique risk assessment methodology.
As an educator on IT security, Mike’s portfolio of clients includes international corporations such as AT&T, Sears and Exelon as well as the U.S. Department of Defense. His early embrace of entrepreneurship earned him a spot on BusinessWeek’s “Top 25 under 25” list, recognizing his 2005 launch of IT security consulting firm Savid Technologies, which was recognized as one of the fastest growing security companies of its decade. He has a passion for educating others, as a contributing author for the “Hacking Exposed” books, through industry publications including InformationWeek and Dark Reading, and as a speaker at industry conferences including Black Hat, Interop, SuperStrategies, and InfoSecWorld.