From the DATASHIELD Resource Library:
Is cyber insurance the silver bullet to cover your organization from an attack? What lies within the fine print of a cyber insurance policy? These questions posed along with important considerations when choosing how to implement cyber security insurance properly.
Oct 16, 2019
Risk is a tricky thing to manage… You can guesstimate, analyze and predict your potential risks based on your security programs, audits and compliance but it doesn’t mean you won’t experience an incident or worse a true breach or ransom. One big trend we’ve observed is our clients transferring risk in the form of cyber insurance.
This begs the question: Is cyber insurance reliable? The quick answer is “yes”, the long answer is “it depends”. We’ve seen customers recover all but their deductible, while others weren’t able to show they had taken reasonable steps to prevent future incidents. We believe there are several things organizations should take into consideration when picking a cyber insurance policy.
Cyber security insurance often covers only network security and privacy liability. Often reputational harm, business interruption, or losses due to social engineering schemes may be secondary endorsements or not covered at all. Reputation is often crucial for many organizations and damage to that, can be hard to quantify.
In many cases an organization must provide that they took reasonable steps, and often an outsourced provider can be one way to show some of those steps. Failure to follow exclusions are part of insurance policies. Following a NIST/ISO model and having the right policies and procedures in place internally is critical.
More and more business today utilize cloud computing services such as Amazon AWS, Microsoft Azure or Google Cloud. Cloud complicates cyber insurance with its shared responsibility paradigm. Where does the liability lie? With you or the provider? Insurers are aware of this and have pretty good language around the shared responsibilities so look at the third-party network clauses and ensure they meet your expectations.
Physical damage to property is possible during a cyber incident. This can happen in many forms such as energy sector having power grid issues, maybe water or sewage damage in a utility, medical systems having damage or shutdown of ventilation or other systems and potential money spewing from an ATM due to a financial attack. Not all policies cover physical damage to property or persons.
The last area is that not all insurers have an equal understanding of cyber security insurance needs. Insurer expertise in the cyber realm is likely to make the process much easier. One recent example is with AIG and their attempt to get indemnity. According to AIG they state their Cyber Insurance doesn’t cover criminal acts… See CyberScoop.com AIG Cyber Insurance Lawsuit article. Now I’m not sure about you, but I don’t go around telling hackers to only hack me if it’s for non-criminal reasons.
Pay close attention to policy wording, conditions, and exclusions as they are likely to vary between insurers, making comparisons difficult or misleading. No matter if you’re a small business or a huge enterprise you are at risk. 43% of all attacks occur to small businesses and there are policies for organizations of all sizes.
The biggest takeaway is that outsourcing your risk doesn’t necessarily make the risk go away, and cyber insurance isn’t a golden ticket. We highly suggest you get guidance before buying!