Onepath recently held an expert panel discussion on the value cyber insurance and legal coverage provides for small and medium businesses. Our expert speakers included Bartley Miller from Sterling Seacrest Partners, Juliana Neelbauer from Drew Eckl & Farnham, and Paul McBratney from Alert Logic.
The discussion centered around how cyber insurance works and what businesses need to do in order to ensure their coverage. Here are the highlights from the discussion:
There Is No Standardization Around Cyber and Privacy Insurance
According to CIO, cyber insurance “is designed to help an organization mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach or similar event.”
As an insurance consumer, you need to be aware that there is no standardization in cyber and privacy insurance right now. It changes market by market and region by region.
When buying cyber insurance, it’s either purchased as part of a commercial package policy, where you would have your property and general liability coverage, or you can opt for standalone coverage. These policies will cover all or some of the following:
- First-party losses
- Third-party losses
- Cyber-crime exposure
For first-party losses, you have forensics, remediation services, legal expenses, and notification expenses. This is where the lack of consistency among cyber insurance plans can get confusing. For example, with notification expenses, you have 50 states that have different regulations. You also have federal compliance laws if you fall under HIPAA or PHI regulations. The notification expenses are charged on either a dollar or per person basis. Do you have a million notifications? Or do you have a million dollars in notification expenses? There’s a big difference and it depends on the type of business that you’re running.
Alternatively, third-party losses cover liability for anyone that you owe responsibilities to. Let’s say you have a breach and someone sues you over the private information that was stolen. That is covered by cyber liability coverage. Think about the LabCorp and Quest Diagnostics breach. It involved a third-party vendor that provided services to those organizations. Even though they didn’t cause the breach, it involved someone they worked with so they are inherently responsible for those damages.
As for cyber-crime exposure, this includes all the things you read about in the news: social engineering, fraudulent instruction, invoice manipulation. However, most policies do not extend coverage to cyber crime automatically.
Check Your Insurance Policy Frequently
There has been a lot of “set it and forget it” in general liability coverage in the past six years. Perhaps the wording of your policy when you bought it covered cyber. Insurance companies, especially smaller ones, were not making those carve-outs to protect their own business and their ability to cover you.
If your insurance company has not made those distinctions yet, you need to find a more sophisticated provider. When push comes to shove and you have a major incident, you need your insurance company to be there.
By clarifying your cyber insurance requirements and clauses, you are going to protect yourself and your business a lot more. Once you have compliance in place, if an incident occurs, you have contained the scope of your risk in a big way.
Compliance Doesn’t Equal Security
Compliance itself is not security. It is a group of check boxes or mandates that regulators require.
A lot of companies check all the compliance boxes, yet they’re not secure. Unfortunately, you’ll never reach a place of security if you only do what’s mandated.
The key is to get in the habit of operationalizing your compliance mandates and looking deeply to make sure you really do have a multi-level security approach. You need a security plan that enumerates what your mandates are and who is doing it. You must answer questions like:
- Who is responsible for this?
- How do I get coverage out to every new device?
- How do I audit that?
- How do I ensure it is updated on an ongoing basis?
It’s easy to get in the habit of saying another group oversees your security, but it’s up to you to make sure it’s happening.
Be Consistent to Ensure You’re Not Denied a Claim
When applying for cyber insurance, you’ll fill out an application by which you make representation that your business is taking certain step to protect your data. However, if you’re not taking those steps, then you could be denied coverage when you need it most.
Policy holders are often denied coverage due to late reporting. For example, you could have an event and you’re unsure if data was compromised. If your internal or external teams are not digging into that event to quickly find out what happened and it later becomes a full-on data breach, the insurance company could say that they should have been aware when the event occurred.
To avoid this, keep a weekly or monthly log internally that is going to management. They should be the ones to sign off on what you are going to do about the event.
To further protect yourself, it helps to think about your security efforts as a timeline. There may be one or two people who are thinking about your security every day. Whether it’s a vendor or an internal person, they can put together reports that detail your efforts.
Accountability Is the Bottom Line
Every business with an internet connection 100% needs cyber insurance, but simply having an insurance policy will not protect your business from cyber-attacks.
Most importantly, executives and board members must take a vested interest in the company’s cybersecurity and compliance health on a quarterly basis. This will create a culture of accountability all the way down the organization.
Additionally, consider leveraging outside help for the peace of mind that there’s people internally and externally working to protect you.
Accomplishing this will help give you a well-documented system that’s defensible in a court of law, if you should ever need it.