Any business with an internet connection is at risk for cyber attacks. Today’s cybersecurity landscape requires that business leaders do everything in their power to minimize their company’s liability and risk.
With the rise of data breaches in 2019, understanding the ways to lower your risk is more important than ever. To get a better idea of how cyber insurance works, we interviewed Onepath’s Chief Financial Officer, Opal Ferraro, and Chief Technology Officer, Patrick Kinsella about cybersecurity insurance. Here are their thoughts:
Any Business Is a Cyber Attack Target
Opal Ferraro: If you’re a business with a computer, you should consider cyber insurance. If you have any kind of network or internet connection, then you should absolutely consider getting insured. Ransomware is a growth industry for criminals.
Patrick Kinsella: Absolutely. The same way you would get insurance for your car or phone, you need to insure your business against cybersecurity incidents. The insurance will not stop the attack from taking place, but it will minimize the risk to your business when (not if) it happens. You still need to take the necessary steps to create an incident response plan. Audit your cybersecurity posture. Take advantage of security awareness training and intrusion detection. Just because you have an alarm system doesn’t mean you wouldn’t still get homeowner’s insurance. It’s that final backstop against a breach.
The Best Time to Get Insured Is Now
Opal: Many years ago, no one had employment practice liability and now nearly everyone does. Cyber insurance is in the same place. It’s a new kind of policy, so that means it doesn’t cost that much right now. However, it will go up. There will be more claims and people needing it. Be thoughtful and work with a good broker who understands your business needs. Obviously, if you’re a firm with a lot of PHI, you need a different policy than a coffee shop, so keep in mind the differences based on your compliance needs and industry regulations.
Patrick: I agree with talking to a broker about a policy. However, just like how auto insurance premiums vary with risk, it is important to make the upfront investment in lowering your risk profile to not only reduce the likelihood of a breach requiring a claim, but also reduce the cost of maintaining such a policy. Speak to a cybersecurity advisor about how to prioritize and implement cybersecurity best practices in conjunction with exploring coverage options through your broker.
Cyber Insurers Are Measuring Your Risk
Opal: Insurers are measuring your business’s risk of suffering a cybersecurity attack or data breach. As time goes on, they will become more adept at it. When you apply for cyber insurance, you must answer several questions about what your business does to protect itself. How well you can answer those questions will help insurers determine your premium.
Lack of Knowledge Is Still the Biggest Issue
Opal: The biggest issue facing businesses about cyber insurance is a lack of knowledge or necessity to take prudent steps to prevent the need to make a claim. One misconception about cyber insurance is that it’s a silver bullet. Even though I highly recommend getting insured, making a claim is severe. That means that someone was successful in attacking you. They were successful in getting you to send money to the wrong place. Your data or business secrets were compromised. They’ve done something to cost you money.
Patrick: Making a claim doesn’t get your business back. It’s a long process before you recoup the money. Even if you’re successful in recovering direct damages, an insurance policy can only do so much when it comes to restoring your reputation. A breach can be a business-ending and life-changing event.
Instead of waiting for a breach and figuring out how to fix it, the bigger question is—what are you doing to prevent a cyber breach? For small and medium businesses, typically the burden of compliance falls on the owner, business controller, or the chief financial officer. Access to the kind of talent needed for an appropriate cybersecurity posture can be a real challenge. Even companies with $500M in revenue outsource cybersecurity like you would outsource the monitoring of your burglar alarm. Unfortunately, the reality is that the attackers are continuing to improve with each breach they complete. Therefore, leaders must continue to make investments in cybersecurity.