Understanding
Cybersecurity Insurance
Business owners need to hear a simple, clear message when it come to cybersecurity insurance. Companies that invest in cybersecurity will have an easier time getting insurance and their premiums will be less expensive. The opposite holds true for companies that fail to take cybersecurity seriously.
Why does Your Business Need Cybersecurity Insurance?
Businesses that create, store, manage, and handle any data electronically should be carrying cybersecurity insurance. Cybersecurity insurance can help minimize downtime and therefore loss of revenue after an attack. To demonstrate the importance of Cybersecurity Insurance, let's look at some examples.
Soon after Sony launched the PlayStation 3, their online network was breached by hackers who exposed information relating to 77 million user accounts as well as taking the service down for 23 days. This hack cost Sony $178 million in lost profits and resulted in a class action lawsuit brought against them for $2 billion! Unfortunately for Sony, their insurance policy only covered physical property damage, not cyber damages. Sony’s insurer argued that Sony’s policy did not cover cyber breaches. This hack had huge ramifications for the company moving forward. Namely, increasing their security measures and igniting their need for true cyber insurance.
In 2017, Equifax, a credit reporting agency suffered a data breach concerning 147 million consumers. As a result, Equifax agreed to pay $700 million to the US FTC (Federal Trade Commission) to cover reimbursements, identity theft recovery, restoration services, and their inability to secure 147 million records. Equifax did have a cyber insurance policy in place and maintained $125 million of cybersecurity insurance coverage, above a $7.5 million deductible. However, this did not help with ballooning costs because of damage claims and continued identity theft recovery for victims in both the US and UK. Whilst Equifax received financial support, they did not demonstrate a high enough level of cyber security measures for a maximum pay-out.
The US experienced a 39% increase in cybercrime during the height of the pandemic between 2020 and 2021. Data from Hiscox revealed that businesses with 50 to 249 employees see an average cost of $150,000, whilst companies with 250 to 999 employees see an average cost of $520,000.
The examples above show that half measures lead to full fallout. The more secure and robust your cyber culture and policies, the more likely you are to qualify for insurance and the smaller the impact will be from a potential hack/breach. According to Spiceworks data, 38% of organizations are now covered with some sort of cyber insurance plan, with 71% of them purchasing a policy for precautionary reasons and ‘peace of mind’.
What Should Your Cyber Insurance Policy Cover?
Make sure your policy includes coverage for:
-
Data breaches (like incidents involving theft of personal information)
-
Cyber attacks that occur anywhere in the world (not only in the United States)
-
Cyber attacks on your data held by vendors and other third parties
-
Cyber attacks (like breaches of your network)
-
Terrorist acts
Also, consider whether your cyber insurance provider will:
-
Defend you in a lawsuit or regulatory investigation (look for “duty to defend” wording)
-
Provide coverage in excess of any other applicable insurance you have
-
Offer a breach hotline that’s available every day of the year at all times
Companies that have not made the cybersecurity improvements deemed necessary by underwriters are still facing challenges to secure coverage, and when they do this tends to be significantly more expensive and subject to more restrictive terms and conditions, such as co-insurance, restricted ransomware and contingent business interruption coverage, and sub-limited or excluded coverage" - Marsh, broker - Insurance Journal July 18, 2022
What does cyber insurance cover?
Before we get to why companies are rejected for insurance, let us break down what cyber insurance is. There are usually two types of cybersecurity insurance policies available to organizations.
The primary one is called ‘First-party’ coverage and covers your company from expenses related to data breaches or hacks. The secondary one is called ‘Third-party’ coverage and provides protection when a customer, vendor, or partner sues you for allowing a data breach.
You can elect to have one or both coverages in your policy.
The Main Reasons Companies are Denied Cybersecurity Insurance Claims
Low level of cybersecurity awareness and training
95% of security breaches are caused by human error. In cybersecurity, human error refers to anything from clicking a suspect link to inadvertently downloading malware or using weak passwords. Even with the most secure and expensive security hardware and software in place if your employees are not properly trained in security policies and procedures, your company is at risk. It is not surprising that companies with poor levels of cybersecurity awareness and training are struggling to qualify for cyber insurance. Your company must be able to prove that employees have been comprehensively trained.
Weak supply chain/third party protocols
Companies also need to be aware that the status of their supply chain line and third-party relationships are vital in their bid for cyber insurance. If a company is truly trying to protect itself from cybersecurity attacks, the level of security inside your organization will also be replicated outside of it. Cyber attackers target companies via their contractors and third-party providers to access internal systems and confidential data. If the cybersecurity of your supply chain is not up to standard, your insurance claim will not be successful.
Overlooked endpoint security
To qualify for cyber insurance, companies must show that their security plan is holistic and with good coverage. This means implementing healthy endpoint security. Endpoint security refers to the process of protecting IoT (Internet of Things) devices such as IP cameras, VOIP phones, smart devices, desktops, laptops mobiles and tablets from cyber threats and attacks. Endpoint security software protects employees when they are connected to online networks and cloud services. If your company has not implemented smart endpoint security with subsequent incident response protocols, you will have your insurance claim denied.
No preventative security campaign or culture
If your company has no preventative security measures in place or fails to demonstrate the existence of any security training, you will have your insurance claim denied. This does not mean your company needs to internally build a whole new security plan. You can also demonstrate preventative security measures through third-party security awareness providers and training. Once again, if you have no security plan and the related documentation in place, it simply is not worth a cyber insurance company’s time to work with your organization, as the risks far outweigh the benefits of the relationship.
Inability to prove existence of a security culture
The most frustrating reason companies are rejected by cyber insurance agencies is their inability to demonstrate that security measures are actually in place and being followed. When assessing your claim, insurance agencies will request evidence to prove that networks are sufficiently protected, and employees are aware of threats and risks in the cyber space. Unfortunately, many companies fail to do this because they are either operating internally and not aware of the ever-changing threats in the cyber space, or do not have a mechanism in place to quantify employee security awareness. Network-iQ offers comprehensive tecnhologies and expertise to build a security culture can provide detailed assessment reports and research surveys to highlight the security strength of a workforce.
Network-iQ Can Help you Qualify for Cybersecurity Insurance, and Ensure your Company Meets the Requirements in the Event of a Claim.
Cyber insurance coverage requirements.
In order to determine your premium, coverage limits and whether you will qualify for cyber insurance, most providers will carry out a cyber insurance risk assessment as part of their underwriting process. Depending on the size of your company, this process can range from a questionnaire to a detailed analysis carried out over multiple weeks by a cyber security firm. Regular check-ups and reassessments are also possible.
To keep risks at an acceptable level, policyholders are required to meet basic IT security standards in order to qualify for cyber insurance. At a minimum, a company interested in buying cyber insurance must have the following safety measures in place:
-
Use multi-factor (MFA) authentication in every situation it can be applied.
This is one of the simplest, yet most effective, actions that any organization can take to protect themselves. If you’re not enabling it, you’re essentially leaving your doors unlocked. MFA protects your applications by using a second source of validation, like a phone or token, to verify user identity before granting access. -
Conduct an annual comprehensive risk assessment. This will help identify your cyber risk in the same way you would identify problems with your plumbing or electrical. But identifying risks doesn’t mean much without taking the next step—so be sure your risk assessment is followed by a detailed plan of action.
-
Require security awareness training for all staff
The most significant vulnerability in your network is your people. Teaching them the basics, and also building a culture of cybersecurity within your organization, will help to greatly reduce risk.
Network-iQ provides an employee cybersecurity training platform that meets these requirements. -
Mandate secure remote access or VPN connections or setup a Virtual Desktop Infrastructure (VDI)
With remote work here to stay, this is more important than ever. Using home networks or public WiFi networks can increase risk and exposure—but ensuring secure access can reduce this risk. -
All PCs must be equipped with endpoint protection (antivirus/antimalware) and it must be kept up to date. This simple requirement is often not met as ensuring it is up to date is left in the hands of the end user. It must be centrally managed to ensure it has the latest information to combat malware.
-
Targeted phishing emails have become one of the top three sources of stolen credentials. an employee to grant funds or access to the external hacker. Anti-phishing technology combined with ongoing employee training to identify phishing emails can reduce the possibility of this kind of breach.
-
The company network must be protected using a next generation firewall.
-
Business data must be regularly backed up using external media and/or a secure cloud service.
Backups should be designed in specific ways that prevent malware from infecting them and depending on your regulatory or insurance requirements, they must meet standards for archiving and curation. -
User access rights and permissions must follow a secure provisioning process. All logins and access to files must be logged and monitored for any changes or breeches in access privileges.
Network-iQ employs a Zero Trust platform for meeting these requirements. -
Documentation for policies, procedures, and network information must be created, maintained, and reviewed for accuracy, consistency, and relevancy. In many cases, an insurance or compliance auditor will first ask for copies of your documentation. This will include employee computer access policies, written security policies, password policies, facility access policies and all of the documentation on related procedures. Without these documents it is possible you may find a rejection of your claim - or in the case of regulatory compliance - your company may be facing fines for non-compliance.
-
Password Management is increasingly becoming a requirement of cybersecurity insurance underwriters. Weak, re-used, and slightly altered passwords are among the top cited vulnerabilities. A proper password management policy and management system is crucial to a secure network. Good password management will also including password auditing and logging.