Welcome to another installment in the Mission Cyber Group blog series on protecting yourself from cyberattacks! Last month, we talked about the importance of having security policies and governance in place at your business, and how doing so can lessen the impact of a future cyberattack or breach—or prevent one altogether.
This month, we thought we’d move from that admittedly dry topic, and move on to a sexier subject: insurance!
What is cyber security insurance FOR, anyway?
Businesses have many options out there when it comes to beefing up security. Heck, this blog series is a great example of the many different avenues there are to protect yourself (hint: there’s more than a couple more coming in future months). They all cost money, of course, and they all revolve around how a business wants to manage risk. Some solutions lower your risk, some make certain levels of risk manageable, while others—including cyber security insurance (or as we’ll shorten it to through this blog, cyber insurance)—serves to transfer a degree of risk. That’s what all insurance is: an insurance company, whether it’s health insurance, cyber insurance, or insurance on your baseball card collection, takes on part of the risk in the event of an accident or, in the case of cyber insurance, a breach or attack.
Cyber insurance kicks in when you have to deal with a security event. A “security event” is not, as it sounds, an office party for mall security officers, but rather a situation where your company or its data has been compromised, stolen, or attacked. This could take the form of cyber extortion, malware infection, data loss, privacy breach, a denial-of-service attack, ransomware, theft of funds, or other similar events.
When one of these things does happen, it tends to be extremely costly—cyber insurance is how you can recoup your losses in that situation. A good policy can also provide resources to help your company recover or mitigate the damage.
Who needs it, who doesn’t
Broadly speaking, just about every business could benefit from cyber insurance. The need for it increases as the business gets larger, in part because there is more damage that can be done (larger businesses have more assets like data that could entice criminals), but also due to the fact that the depth and breadth of attacks magnify considerable when the target company is larger. Medical, banking, and retail organizations, those who store private and sensitive customer information, are some of the preferred targets for cybercriminals.
Currently there isn’t a federal, universal requirement that a company have cyber insurance, but there are two important caveats here.
First, cyber insurance is relatively new in the insurance field and recent years has shown an increase in all sorts of digital or online regulations—some states and industries might have specific requirements, and it’s worth working with a lawyer or do research to understand the latest as it relates to your company. There are always exceptions, of course, and finding yourself noncompliant with important regulations is not where you want to be.
Second, what is common today is that you may be contractually obligated by a partner to have cyber insurance before they will do business with you (or do business beyond a certain threshold). Especially as risk in the supply chain of services increases over the years, companies are looking to their partners’ protections as a way of mitigating their own risk.
Acquiring cyber insurance
When you apply for cyber insurance, it’s not going to be as simple as filling out a form and paying a set premium. Insurance providers are going to look to make sure you’re doing your due diligence and following security best practices. If you’re not, you could end up with higher rates or even have your application denied.
What will they want to see in your security portfolio? Things like firewalls, EDR, data backup and restoration protocols, multi-factor authentication, endpoint security measures, email protection, and intact policies and procedures will all help show these providers that you aren’t an unreasonable risk and are deserving of lower rates. They’ll also be considering your company size, structure, revenue analysis, and previous security incidents like the events mentioned above.
When shopping for a cyber insurance provider, something to keep in mind is that it’s best practice to run your approved vendor list by them. If one of the vendors on your list isn’t on theirs, they may offer you a list of their own. It’s important to be in agreement on these lists, because it will help your provider coordinate their response in the event of a breach or cyberattack. Think of it like this: with your health insurance, some doctors or practices are “out of network”; you may still be able to use them, but you won’t get the most benefit out of your policy unless you go with an “in-network” provider.
We’ll leave you with one more optimistic thought: a great side effect of those cyber insurance due diligence expectations is that they encourage a higher overall security hygiene across businesses—which helps those company’s partners be a little more secure. It’s a cascading effect that passes benefit down the line—the more secure one company is, the more we all can be.
Cyber security insurance is just one part of a healthy, balanced breakfast—er, cyber security, data protection, and GRC plan. Get started on your path to compliance, robust cyber defense, and vulnerability management by heading to our contact page or talking to MCG’s David at [email protected].