Is cyber insurance the silver bullet to cover your organization from an attack? What lies within the fine print of a cyber insurance policy? These questions posed along with important considerations when choosing how to implement cyber security insurance properly.
Risk is a tricky thing to manage. You can guesstimate, analyze, and predict your potential risks based on your security programs, audits, and compliance.
Still, it doesn’t mean you won’t experience an incident or worse a real breach or ransom. One big trend we’ve observed is our clients transferring risk in the form of cyber insurance.
This begs the question: Is cyber insurance reliable? The quick answer is “yes”; the long answer is “it depends.”
We’ve seen customers recover all but their deductible, while others weren’t able to show they had taken reasonable steps to prevent future incidents. We believe there are several things organizations should take into consideration when picking a cyber insurance policy.
Choosing the Right Insurer
Cybersecurity insurance often covers only network security and privacy liability. Often reputational harm, business interruption, or losses due to social engineering schemes may be secondary endorsements or not covered at all. Reputation is often crucial for many organizations, and damage to that can be hard to quantify.
In many cases, an organization must provide that they took reasonable steps, and often an outsourced provider can be one way to show some of those steps. Failure to follow exclusions are part of insurance policies. Following a NIST/ISO model and having the right policies and procedures in place is critical.
More and more businesses today utilize cloud computing services such as Amazon AWS, Microsoft Azure, or Google Cloud. Cloud complicates cyber insurance with its shared responsibility paradigm. Where does the liability lie? With you or the provider? Insurers are aware of this and have pretty good language around the shared responsibilities, so look at the third-party network clauses and ensure they meet your expectations.
Physical damage to property is possible during a cyber incident. This can happen in many forms such as energy sector having power grid issues, maybe water or sewage damage in a utility, medical systems having damage or shutdown of ventilation or other systems and potential money spewing from an ATM due to a financial attack. Not all policies cover physical damage to property or persons.
The last area is that not all insurers have an equal understanding of cybersecurity insurance needs. Insurer expertise in the cyber realm is likely to make the process much easier. One recent example is with AIG and their attempt to get an indemnity. According to AIG, they state their Cyber Insurance doesn’t cover criminal acts. Now I’m not sure about you, but I don’t go around telling hackers to hack me if it’s for non-criminal reasons.
Please pay close attention to policy wording, conditions, and exclusions as they are likely to vary between insurers, making comparisons difficult or misleading. No matter if you’re a small business or an enterprise, you are at risk. 43% of all attacks occur to small companies, and there are policies for organizations of all sizes.
The biggest takeaway is that outsourcing your risk doesn’t necessarily make the risk go away, and cyber insurance isn’t a golden ticket. We highly suggest you get guidance before buying!