{"id":5671,"date":"2019-10-26T03:42:38","date_gmt":"2019-10-26T03:42:38","guid":{"rendered":"http:\/\/tricorps.com\/?p=5671"},"modified":"2021-12-29T21:56:24","modified_gmt":"2021-12-29T21:56:24","slug":"cybersecurity-insurance-why-you-need-it-and-what-you-need-to-know-before-you-get-it","status":"publish","type":"post","link":"https:\/\/tricorps.com\/2019\/10\/26\/cybersecurity-insurance-why-you-need-it-and-what-you-need-to-know-before-you-get-it\/","title":{"rendered":"Cybersecurity Insurance, Why You Need It and What You Need to Know Before You Get It"},"content":{"rendered":"\n<p><strong>$3.92 million<\/strong>. That\u2019s the cost of an average data breach in 2019, according to&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/newsroom.ibm.com\/2019-07-23-IBM-Study-Shows-Data-Breach-Costs-on-the-Rise-Financial-Impact-Felt-for-Years\" target=\"_blank\">IBM\u2019s Cost of a Data Breach Study<\/a>.&nbsp;For small businesses,&nbsp;those with less than 500 employees, the cost of&nbsp;successful cyberattack&nbsp;is particularly&nbsp;chilling. For these types of organizations,&nbsp;a breach can cost more than $2.5 million on average.&nbsp;So, for any leader&nbsp;who&nbsp;believes&nbsp;his or her&nbsp;organization is&nbsp;too small to be a target, that\u2019s not true anymore\u2026for anyone.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p>Organizations have been carrying&nbsp;multiple types&nbsp;of business insurance for decades,&nbsp;including&nbsp;general liability insurance, Directors and Officers (D&amp;O), Errors and Omissions (E&amp;O), and other types of insurance&nbsp;that&nbsp;cover&nbsp;unforeseen business events.&nbsp;However,&nbsp;in the last&nbsp;five to ten&nbsp;years,&nbsp;cybersecurity insurance has become critical&nbsp;to&nbsp;help protect against losses.&nbsp;&nbsp;<\/p>\n\n\n\n<p>When TriCorps&nbsp;conducts a&nbsp;risk analysis&nbsp;or assessment, we often find that the organization we\u2019re assessing does not have adequate&nbsp;insurance&nbsp;to&nbsp;protect&nbsp;its&nbsp;data or computing environments against criminal threats or losses.&nbsp;This is&nbsp;a big vulnerability that could lead to extreme exposure.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#002173\"><strong>What is&nbsp;<\/strong><strong>C<\/strong><strong>ybersecurity&nbsp;<\/strong><strong>I<\/strong><strong>nsurance?<\/strong>&nbsp;<\/p>\n\n\n\n<p>Cybersecurity insurance&nbsp;is insurance specifically designed to help protect against losses incurred through digital means.&nbsp;This&nbsp;might&nbsp;be&nbsp;a system failure taking down&nbsp;a&nbsp;computer network&nbsp;or&nbsp;a criminal&nbsp;who is able&nbsp;to&nbsp;socially&nbsp;engineer, or&nbsp;trick,&nbsp;an&nbsp;employee into wiring money to a fake account,&nbsp;or&nbsp;tricking a team member into&nbsp;clicking on&nbsp;an email link or attachment,&nbsp;unleashing&nbsp;a ransomware attack.&nbsp;&nbsp;<\/p>\n\n\n\n<p>IT environments (including cloud computing and Software-as-a-Service applications) have proven very difficult to&nbsp;fully&nbsp;protect. Most organizations (especially smaller ones) cannot afford the \u201crock-star\u201d class&nbsp;of&nbsp;experts that can reasonably protect them, especially considering the number of unfilled cybersecurity jobs is expected to reach 1.8 million by 2022.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p>Organizations do what they can to maximize protection and minimize risk, but in the end, there are unforeseen situations that could not&nbsp;be&nbsp;planned for. For these situations, one&nbsp;may&nbsp;purchase&nbsp;cybersecurity insurance.&nbsp;&nbsp;<\/p>\n\n\n\n<p>There are&nbsp;a number of&nbsp;plans out there which cover an array of&nbsp;potential&nbsp;breaches and failures, and it is important to be smart when choosing your plan. Some of the things to look for in a&nbsp;cybersecurity insurance&nbsp;plan&nbsp;include:&nbsp;<\/p>\n\n\n\n<ul><li>Protection against losses if your computing environment fails (equipment, power, facility failures)&nbsp;<\/li><li>Support for forensics and remediation efforts in the case of an incursion by cybercriminals, including scans and analyses to certify the network as clean&nbsp;&nbsp;<\/li><li>Access to experts to help your security staff be up to date on new vulnerabilities and ways to protect against these vulnerabilities&nbsp;&nbsp;<\/li><li>Protection from&nbsp;the types of&nbsp;fraud&nbsp;in which&nbsp;employees are tricked through voice, email, or communication platforms into transferring money&nbsp;&nbsp;<\/li><li>Recovery costs in the case of ransomware or other catastrophic data loss&nbsp;<\/li><li>Protections in the case of employee fraud or theft using the organization\u2019s computer systems&nbsp;<\/li><\/ul>\n\n\n\n<p>Many plans have standard protections to cover forensic, recovery, and mitigation costs ranging from $1 million &#8211; $5&nbsp;million&nbsp;typically. Most plans have a much lower limit on social engineering attacks, (where fraud and trickery are used) ranging anywhere from $25K &#8211; $250K.&nbsp;&nbsp;<\/p>\n\n\n\n<p>There are a wide variety of plans out there, and companies need to be careful to make sure they are adequately covered. The most likely paths for criminals to steal money or data is using social engineering tactics. You need to make sure that you understand what is included in any social engineering protection and&nbsp;ensure&nbsp;you are comfortable with the protected amounts.&nbsp;<\/p>\n\n\n\n<p>You also need to pay attention to the exclusions of the policy. These are the items explicitly not covered, which can come back to bite you if&nbsp;they are&nbsp;not well understood. For example, many plans have exclusions&nbsp;if&nbsp;an&nbsp;attack is perpetrated as a matter of war or international conflict. Some insurance companies have&nbsp;actually denied&nbsp;claims in major breaches because the attackers were from another country.&nbsp;Insurance companies, in these cases,&nbsp;have&nbsp;worked&nbsp;to&nbsp;avoid payment&nbsp;by claiming&nbsp;that if a nation-state&nbsp;is involved (i.e. the attack comes&nbsp;from&nbsp;within the border of&nbsp;another country), it&nbsp;is an act of war, and therefore they are not liable.&nbsp;Because of this,&nbsp;it&nbsp;is important to ask questions of your insurance provider on their claim history.&nbsp;&nbsp;<\/p>\n\n\n\n<p>TriCorps&nbsp;routinely provides cybersecurity assessments to companies and helps them understand their risk. As part of these assessments, we do look at existing cybersecurity insurance policies and provide feedback regarding their relationship to best-in-class policies. Since cybersecurity insurance is such&nbsp;a new type of coverage, many still refer to it as the \u201cwild west\u201d where there can be significant differences in policies written by different underwriters.&nbsp;&nbsp;<\/p>\n\n\n\n<p>One of the things often excluded in policies is&nbsp;when&nbsp;attacks are&nbsp;facilitated through unsuspecting business partners, such as vendors, that have connections to your networks or login credentials to your systems. One of the best things you can do for your organization is to ensure that your vendors commit contractually to an adequate level of cybersecurity themselves and will indemnify you of any losses caused by their inattention or negligence.&nbsp;&nbsp;<\/p>\n\n\n\n<p>A great many attacks on large companies have&nbsp;been initiated through smaller, less-diligent partners sharing data or networks.&nbsp;The infamous&nbsp;Target \u201chack\u201d was possible because the attackers came in through a Heating Ventilation and Air Conditioning (HVAC) vendor, who&nbsp;failed to properly protect Target\u2019s network. Through a series of unfortunate events, hackers were able to use the HVAC vendor to gain access to Target\u2019s systems in a trusted environment,&nbsp;behind the&nbsp;firewalls that would normally be checking for malicious traffic.&nbsp;&nbsp;<\/p>\n\n\n\n<p>An effective governance process for security&nbsp;is needed, so that an organization can&nbsp;periodically examine&nbsp;its risk in this area.&nbsp;TriCorps&nbsp;provides expert resources&nbsp;while performing&nbsp;a&nbsp;comprehensive cybersecurity risk analysis. We&nbsp;can&nbsp;also provide&nbsp;an&nbsp;integrated&nbsp;security&nbsp;risk analysis&nbsp;to&nbsp;an&nbsp;organization. This&nbsp;includes&nbsp;physical and electronic security&nbsp;(such as&nbsp;the&nbsp;effectiveness of access controls and surveillance)&nbsp;in addition to cybersecurity.&nbsp;The integrated security analysis can determine how&nbsp;all of&nbsp;these three critical areas of security are working in tandem to best protect an organization from&nbsp;every&nbsp;threat, whether physical, digital, or both.&nbsp;&nbsp;<\/p>\n\n\n\n<p>We frequently see risk areas that organizations do not&nbsp;consider, and we share protection and mitigation techniques that we\u2019ve identified in our work.&nbsp;As part of&nbsp;our&nbsp;risk analysis process, we observe the risks and provide avoidance or remediation guidance.&nbsp;We also provide&nbsp;an assessment&nbsp;of an organization\u2019s cybersecurity&nbsp;insurance&nbsp;policy&nbsp;(if&nbsp;it exists) and recommend&nbsp;the type of&nbsp;coverage&nbsp;an organization should have&nbsp;to better align with best practices. We also&nbsp;can assess&nbsp;vendor management practices to ensure that vendors are signing up to provide adequate cybersecurity safeguards and protections to&nbsp;an&nbsp;organization.&nbsp;This can help an organization determine if a vendor they are currently working with, or would like to work with, is&nbsp;going to adequately protect&nbsp;its&nbsp;digital assets.&nbsp;&nbsp;<\/p>\n\n\n\n<p>No organization is too small or \u201cunder the radar\u201d when it comes to becoming&nbsp;a target of cybercrime. You are a target already. If you haven\u2019t been hit yet, likely it is a matter of time. This isn\u2019t to scare you. This is to prepare you. Meanwhile, cybercriminals are automating and industrializing their cyberattack methods and social engineering techniques, allowing them to conduct a greater number of cyberattacks and social engineering scams.&nbsp;&nbsp;<\/p>\n\n\n\n<p>You must move away from reactive cybersecurity and toward proactive cybersecurity. One of the most important ways to be proactive is to obtain an adequate cybersecurity insurance policy.&nbsp;Additionally,&nbsp;you need to ensure that vendor contracts include language to protect you.&nbsp;Only those organizations with effective protections and insurance will be able to weather a major attack.&nbsp;&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>$3.92 million. That\u2019s the cost of an average data breach in 2019, according to&nbsp;IBM\u2019s Cost of a Data Breach Study.&nbsp;For small businesses,&nbsp;those with less than 500 employees, the cost of&nbsp;successful cyberattack&nbsp;is particularly&nbsp;chilling. For these types of organizations,&nbsp;a breach can cost more than $2.5 million on average.&nbsp;So, for any leader&nbsp;who&nbsp;believes&nbsp;his or her&nbsp;organization is&nbsp;too small to be [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":5672,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[12,10],"tags":[],"acf":[],"aioseo_notices":[],"featured_image_src":"https:\/\/tricorps.com\/wp-content\/uploads\/2019\/10\/cyberinsurance.jpg","featured_image_src_square":"https:\/\/tricorps.com\/wp-content\/uploads\/2019\/10\/cyberinsurance.jpg","author_info":{"display_name":"Sarah Burrows","author_link":"https:\/\/tricorps.com\/author\/sarahburrowstricorps-com\/"},"_links":{"self":[{"href":"https:\/\/tricorps.com\/wp-json\/wp\/v2\/posts\/5671"}],"collection":[{"href":"https:\/\/tricorps.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tricorps.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tricorps.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/tricorps.com\/wp-json\/wp\/v2\/comments?post=5671"}],"version-history":[{"count":0,"href":"https:\/\/tricorps.com\/wp-json\/wp\/v2\/posts\/5671\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tricorps.com\/wp-json\/wp\/v2\/media\/5672"}],"wp:attachment":[{"href":"https:\/\/tricorps.com\/wp-json\/wp\/v2\/media?parent=5671"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tricorps.com\/wp-json\/wp\/v2\/categories?post=5671"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tricorps.com\/wp-json\/wp\/v2\/tags?post=5671"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}