You’ve probably heard about cyber insurance by this point. It’s been around for several years now. Yes, it’s useful to minimize your risks—especially as cybercrime has lately grown into a multi-billion dollar business.
Businesses and organizations large and small are beginning to realize that cybersecurity is a necessary evil—it’s an evil in the sense that there is no guarantee your data or client personally identifiable information (we call this PII) will always remain secure.
Besides losing valuable or sensitive data, there’s a bigger chance now than ever before that a cybersecurity event could hurt your company, its reputation, inhibit your business growth and (worst of all) decimate your financial reserves to the point of closure (over a quarter of businesses that suffer a major cyberattack close within a year!).
As a part of your cybersecurity and disaster recovery strategy, you probably are thinking about investing in cyber insurance to minimize your business liabilities.
Here are 3 actions to take on your network before signing up for a cyber insurance policy:
Back up your network—in the event your network gets infected with ransomware or goes down for whatever reason, having backups will keep your staff working. As long as your team is down, you won’t get cash flow—what’s needed to keeping your lights on!
Monitor your traffic—your IT Support should be vigilantly (daily) monitoring your traffic for suspicious activity. They should investigate anything that is unusual and ensure your network is clean. Monitoring is a critical step in minimizing the effect of malicious activity that may get onto your network.
Test, test, test— I can’t emphasize testing enough. If you don’t test what you do, you can’t guarantee anything is working! Test your backups to make sure you can actually restore files from them. Test patches to confirm they are applied properly. Keep a routine of always testing changes to your network so that you can identify issues and understand a root cause quickly when they pop up.
If you’re not showing persistent effort in protecting your network, you might be at risk to not be covered under your policy (and will have to foot hefty bills!).
The cyber insurance market is relatively young and suffers from a lack of standardization in pricing, coverage and terminology. Because of this, premiums and policy options and even liability interpretations can vary considerably between providers. It’s crucial that you understand your policy before signing your name on the dotted line.
BUT Buyer beware
Recent reports on cyber insurance coverage warns that businesses are putting too much faith in their policy. In many instances, organizations believed they had done enough to get insurance reimbursements, ending up getting nothing.
Here are a few things to consider when evaluating your cyber insurance options:
Avoid One Policy Fits All Offers—a good cyber insurance policy is tailored to your specific risks and needs. To make sure you don’t end up with some one size fits all solution that many brokers shove down the throats of those less discerning, and ending up paying for coverage you don’t need or not in the right places, steer clear from generic offerings, even if they are cheaper at face value.
Get Multiple Quotes— obtain a variety of quotes from multiple providers before making your decision. Get an understanding of what folks are offering and how they compare with competitors before signing your name.
Read ALL of the Fine Print—maybe this seems obvious, but make sure to have your lawyers read the fine print. There have been numerous cases where insurance policies did not cover specific situations that were quite common in hospital or clinic settings. I’ve personally had to remediate several hospitals who initially thought everything was covered, come to learn down the line that not patching their computers—a possible cause for the attack—ended up voiding the eligibility of coverage.
Minimize Your Risk—you have limited control over your risks. You cannot stop dealing with large amounts of sensitive protected health information, for instance. Similarly, it would be absurd to lay off people and aim to make less revenue if you thought that your entire staff was at risk of opening the doors to an attack (which they most certainly are).
BUT, even if you think you are taking proper precautions, many cyber insurance policies require a hefty deductible (around $50,000) before they even kick in. While the insurance policy will prevent you from having to foot the brunt of the cost of a cyberattack (which average over a half a million bucks by latest counts), you will still have a big hole in your pocket after all is said and done if you end up getting a data breach or hack.
One additional word—many cyberattacks that have been hitting American businesses are initiated from places like North Korea, China, or Russia. What does that mean for your claim? Insurance providers are considering these attacks acts of war—something not covered by any policy!
The moral of cyber insurance: do invest in a policy to minimize your risks, but make sure you have your cybersecurity ducks in a row as well (otherwise you might be in for more than you’ve bargained if something were to happen). If you have any questions about the state of your security, we have a dedicated team of cybersecurity experts (CISSPs) on staff. We would be happy to walk through a strategy that fits your organization.
