Cybersecurity Insurance, Why You Need It and What You Need to Know Before You Get It
$3.92 million. That’s the cost of an average data breach in 2019, according to IBM’s Cost of a Data Breach Study. For small businesses, those with less than 500 employees, the cost of successful cyberattack is particularly chilling. For these types of organizations, a breach can cost more than $2.5 million on average. So, for any leader who believes his or her organization is too small to be a target, that’s not true anymore…for anyone.
Organizations have been carrying multiple types of business insurance for decades, including general liability insurance, Directors and Officers (D&O), Errors and Omissions (E&O), and other types of insurance that cover unforeseen business events. However, in the last five to ten years, cybersecurity insurance has become critical to help protect against losses.
When TriCorps conducts a risk analysis or assessment, we often find that the organization we’re assessing does not have adequate insurance to protect its data or computing environments against criminal threats or losses. This is a big vulnerability that could lead to extreme exposure.
What is Cybersecurity Insurance?
Cybersecurity insurance is insurance specifically designed to help protect against losses incurred through digital means. This might be a system failure taking down a computer network or a criminal who is able to socially engineer, or trick, an employee into wiring money to a fake account, or tricking a team member into clicking on an email link or attachment, unleashing a ransomware attack.
IT environments (including cloud computing and Software-as-a-Service applications) have proven very difficult to fully protect. Most organizations (especially smaller ones) cannot afford the “rock-star” class of experts that can reasonably protect them, especially considering the number of unfilled cybersecurity jobs is expected to reach 1.8 million by 2022.
Organizations do what they can to maximize protection and minimize risk, but in the end, there are unforeseen situations that could not be planned for. For these situations, one may purchase cybersecurity insurance.
There are a number of plans out there which cover an array of potential breaches and failures, and it is important to be smart when choosing your plan. Some of the things to look for in a cybersecurity insurance plan include:
- Protection against losses if your computing environment fails (equipment, power, facility failures)
- Support for forensics and remediation efforts in the case of an incursion by cybercriminals, including scans and analyses to certify the network as clean
- Access to experts to help your security staff be up to date on new vulnerabilities and ways to protect against these vulnerabilities
- Protection from the types of fraud in which employees are tricked through voice, email, or communication platforms into transferring money
- Recovery costs in the case of ransomware or other catastrophic data loss
- Protections in the case of employee fraud or theft using the organization’s computer systems
Many plans have standard protections to cover forensic, recovery, and mitigation costs ranging from $1 million – $5 million typically. Most plans have a much lower limit on social engineering attacks, (where fraud and trickery are used) ranging anywhere from $25K – $250K.
There are a wide variety of plans out there, and companies need to be careful to make sure they are adequately covered. The most likely paths for criminals to steal money or data is using social engineering tactics. You need to make sure that you understand what is included in any social engineering protection and ensure you are comfortable with the protected amounts.
You also need to pay attention to the exclusions of the policy. These are the items explicitly not covered, which can come back to bite you if they are not well understood. For example, many plans have exclusions if an attack is perpetrated as a matter of war or international conflict. Some insurance companies have actually denied claims in major breaches because the attackers were from another country. Insurance companies, in these cases, have worked to avoid payment by claiming that if a nation-state is involved (i.e. the attack comes from within the border of another country), it is an act of war, and therefore they are not liable. Because of this, it is important to ask questions of your insurance provider on their claim history.
TriCorps routinely provides cybersecurity assessments to companies and helps them understand their risk. As part of these assessments, we do look at existing cybersecurity insurance policies and provide feedback regarding their relationship to best-in-class policies. Since cybersecurity insurance is such a new type of coverage, many still refer to it as the “wild west” where there can be significant differences in policies written by different underwriters.
One of the things often excluded in policies is when attacks are facilitated through unsuspecting business partners, such as vendors, that have connections to your networks or login credentials to your systems. One of the best things you can do for your organization is to ensure that your vendors commit contractually to an adequate level of cybersecurity themselves and will indemnify you of any losses caused by their inattention or negligence.
A great many attacks on large companies have been initiated through smaller, less-diligent partners sharing data or networks. The infamous Target “hack” was possible because the attackers came in through a Heating Ventilation and Air Conditioning (HVAC) vendor, who failed to properly protect Target’s network. Through a series of unfortunate events, hackers were able to use the HVAC vendor to gain access to Target’s systems in a trusted environment, behind the firewalls that would normally be checking for malicious traffic.
An effective governance process for security is needed, so that an organization can periodically examine its risk in this area. TriCorps provides expert resources while performing a comprehensive cybersecurity risk analysis. We can also provide an integrated security risk analysis to an organization. This includes physical and electronic security (such as the effectiveness of access controls and surveillance) in addition to cybersecurity. The integrated security analysis can determine how all of these three critical areas of security are working in tandem to best protect an organization from every threat, whether physical, digital, or both.
We frequently see risk areas that organizations do not consider, and we share protection and mitigation techniques that we’ve identified in our work. As part of our risk analysis process, we observe the risks and provide avoidance or remediation guidance. We also provide an assessment of an organization’s cybersecurity insurance policy (if it exists) and recommend the type of coverage an organization should have to better align with best practices. We also can assess vendor management practices to ensure that vendors are signing up to provide adequate cybersecurity safeguards and protections to an organization. This can help an organization determine if a vendor they are currently working with, or would like to work with, is going to adequately protect its digital assets.
No organization is too small or “under the radar” when it comes to becoming a target of cybercrime. You are a target already. If you haven’t been hit yet, likely it is a matter of time. This isn’t to scare you. This is to prepare you. Meanwhile, cybercriminals are automating and industrializing their cyberattack methods and social engineering techniques, allowing them to conduct a greater number of cyberattacks and social engineering scams.
You must move away from reactive cybersecurity and toward proactive cybersecurity. One of the most important ways to be proactive is to obtain an adequate cybersecurity insurance policy. Additionally, you need to ensure that vendor contracts include language to protect you. Only those organizations with effective protections and insurance will be able to weather a major attack.