As a Business owner, you need a simple, clear message when it comes to cybersecurity insurance. Companies that invest in cybersecurity will have an easier time getting insurance and their premiums will be less expensive. The opposite holds true for companies that fail to take cybersecurity seriously.
Why does Your Business Need Cybersecurity Insurance?
Businesses that create, store, manage, and handle any data electronically should be carrying cybersecurity insurance. Cybersecurity insurance can help minimize downtime and therefore loss of revenue after an attack. Some businesses may be required to carry cybersecurity insurance depending on regulatory compliance.
What Should Your Cyber Insurance Policy Cover?
Make sure your policy includes coverage for:
Data breaches (like incidents involving theft of personal information)
Cyber attacks that occur anywhere in the world (not only in the United States)
Cyber attacks on your data held by vendors and other third parties
Cyber attacks (like breaches of your network)
Also, consider whether your cyber insurance provider will:
Defend you in a lawsuit or regulatory investigation (look for “duty to defend” wording)
Provide coverage in excess of any other applicable insurance you have
Oﬀer a breach hotline that’s available every day of the year at all times
What does cyber insurance cover?
Before we get to why companies are rejected for insurance, let us break down what cyber insurance is. There are usually two types of cybersecurity insurance policies available to organizations.
The primary one is called ‘First-party’ coverage and covers your company from expenses related to data breaches or hacks. The secondary one is called ‘Third-party’ coverage and provides protection when a customer, vendor, or partner sues you for allowing a data breach.
You can elect to have one or both coverages in your policy.
"Companies that have not made the cybersecurity improvements deemed necessary by underwriters are still facing challenges to secure coverage, and when they do this tends to be significantly more expensive and subject to more restrictive terms and conditions, such as co-insurance, restricted ransomware and contingent business interruption coverage, and sub-limited or excluded coverage" - Marsh, broker - Insurance Journal July 18, 2022
5 Reasons Companies are Denied Cybersecurity Insurance Claims
1. Low level of cybersecurity awareness and training
95% of security breaches are caused by human error. In cybersecurity, human error refers to anything from clicking a suspect link to inadvertently downloading malware or using weak passwords. Even with the most secure and expensive security hardware and software in place if your employees are not properly trained in security policies and procedures, your company is at risk. It is not surprising that companies with poor levels of cybersecurity awareness and training are struggling to qualify for cyber insurance. Your company must be able to prove that employees have been comprehensively trained.
2. Weak supply chain/third party protocols
Companies also need to be aware that the status of their supply chain line and third-party relationships are vital in their bid for cyber insurance. If a company is truly trying to protect itself from cybersecurity attacks, the level of security inside your organization will also be replicated outside of it. Cyber attackers target companies via their contractors and third-party providers to access internal systems and confidential data. If the cybersecurity of your supply chain is not up to standard, your insurance claim will not be successful.
3. Overlooked endpoint security
To qualify for cyber insurance, companies must show that their security plan is holistic and with good coverage. This means implementing healthy endpoint security. Endpoint security refers to the process of protecting IoT (Internet of Things) devices such as IP cameras, VOIP phones, smart devices, desktops, laptops mobiles and tablets from cyber threats and attacks. Endpoint security software protects employees when they are connected to online networks and cloud services. If your company has not implemented smart endpoint security with subsequent incident response protocols, you will have your insurance claim denied.
4. No preventative security campaign or culture
If your company has no preventative security measures in place or fails to demonstrate the existence of any security training, you will have your insurance claim denied. This does not mean your company needs to internally build a whole new security plan. You can also demonstrate preventative security measures through third-party security awareness providers and training. Once again, if you have no security plan and the related documentation in place, it simply is not worth a cyber insurance company’s time to work with your organization, as the risks far outweigh the benefits of the relationship.
5. Inability to prove existence of a security culture
The most frustrating reason companies are rejected by cyber insurance agencies is their inability to demonstrate that security measures are actually in place and being followed. When assessing your claim, insurance agencies will request evidence to prove that networks are sufficiently protected, and employees are aware of threats and risks in the cyber space. Unfortunately, many companies fail to do this because they are either operating internally and not aware of the ever-changing threats in the cyber space, or do not have a mechanism in place to quantify employee security awareness. Network-iQ offers comprehensive tecnhologies and expertise to build a security culture can provide detailed assessment reports and research surveys to highlight the security strength of a workforce.