Each year, we all agonise over our home buildings and contents insurance policy renewal, adding options such as accidental damage in case the cat or children knock something over, we ponder over the option to insure the garden furniture, then verify that the policy will protect against subsidence.
We double check what happens if the house burns down, does the policy provide alternate accommodation for you and the family? This list of queries is endless, but you do it.
Holding that thought for a moment…. Can you honestly say you have given your business cyber insurance policy the same level of scrutiny as your last home building and contents policy renewal?
Ask yourself, is your company ready for the financial repercussions of a successful cyber-attack?
Cybersecurity insurance is a must for every business, but merely purchasing a policy is not enough, not when system attacks are ramping up and potentially causing unprecedented damage.
Using the home insurance analogy, just because you have building and contents insurance does not mean you leave the doors and windows wide open when you go out for the day.
The same is true with cyber insurance, just because you have it, does not mean you do not put the systems, management, and governance in place to mitigate the cyber risks.
When you leave your home or go to bed, you lock the doors and windows, go round the house and check things are switched off.
Most of us have fitted a burglar alarm and often we have gone further installing CCTV, smart doorbells, and smart sensors around the home.
We secure the perimeter of our homes with double mortice locks, door entry systems, fences, and gates. We fit lights that come on automatically with movement in the garden. Smoke and carbon monoxide alarms detect threats and alert you of danger.
The wrong kind or amount of coverage could be worse than having none at all. A false sense of confidence could end up costing your business more — or cause you to lose it altogether.
All cyber insurance policies are not created equal. Some will pay your ransomware, some will not. Not all will pay your regulatory fines. Many will not cover the costs of improvements, after a hack, that could protect you from getting hit again. And if the culprit is a foreign nation? You could wind up in court trying to recoup your costs and even then, you might lose.
Knowing which questions to ask about cyber insurance can be its own kind of insurance one that can help prevent you from making the wrong choices, while protecting your business and bottom line.
Here are six key cyber insurance questions that we recommend you ask you senior management team:
- Do we have a cyber insurance policy?
- This question may seem elementary, but it is critical to ask.
- So often in business, the left hand literally doesn’t know what the right hand is doing!! Frequently, the assumption is that an existing property damage or business continuity policy will cover an incident even if the policy is “silent” on cybersecurity issues.
- If this is your situation, you could end up footing the entire bill for a breach or attack, or engaging in a costly court battle for payment.
- Who owns the task of mitigating cyber risk with insurance?
- Who is in charge of selecting and buying cybersecurity liability insurance for your firm?
- And in the event of a cyber-attack, whose job is it to file the claim and see it through the processing?
- Establishing accountability helps confirm that the tasks of managing and mitigating cyber risk get done properly and in a timely manner.
- Before you can formulate a cybersecurity risk management strategy critical to operational and digital resilience, you should establish robust systems, management, and governance for incident readiness.
- Do we have the right amount of cyber insurance?
- How much insurance is enough?
- To help get the right answer, you need to quantify your cybersecurity risk.
- Sometimes an incident becomes a wake-up call for an industry. After the debilitating NotPetya attack, the maritime industry began to improve its cyber security. Threat information sharing has improved, and as a result, cyber insurance products emerged.
- Quantifying risk now can prevent headaches — and potentially catastrophic losses for small and midsize companies.
- What does our policy cover?
- What are the exclusions on your policy? Find that out now! When your systems are being held hostage is not the time to find out that your cyber insurance policy excludes ransomware payments, for instance.
- Most policies will reimburse you for network security, hiring legal counsel and paying a forensics vendor. Often, they will pay the costs of restoring data and bringing your operations back online.
- What about the cost of a root cause investigation? That may not be covered.
- What about the cost of breach notifications? If you have had credit card numbers stolen, the cost of notifying the cardholders could be prohibitive.
- Does your policy cover public relations and communications? The right messaging can be critical for preventing and restoring reputational loss.
- Will your insurance pay the cost of providing credit monitoring and ID restoration to customers whose personally identifiable information (PII) was stolen?
- If you are hit by ransomware, will your policy pay the costs of negotiating with the attacker and paying the ransom?
- If an advanced persistent threat (APT) infiltrates your system in a nation-state attack, will your insurance fund your recovery, or will it write off the incident as an “act of war”? (This was tested in the wake of the NotPetya attack.) This question should no longer be hypothetical, with the predicted increase in sophistication of APTs.
- What if your organization incurs fines for violating the European Union’s General Data Protection Regulation (GDPR)? How much, if anything, will your insurance company pay?
- If your business gets hit by malicious actors because your security was not strong enough, your insurance policy probably won’t pay out.
- Have you taken enhanced cyber protection services from your technology partner to mitigate the risks at an appropriate level and adopted appropriate governance such as Cyber Essentials?
- Does our insurance provider understand our industry and its risks?
- Insurance companies are used to dealing with risks and threats, such as natural disasters, overseas riots, and loan defaults. However, they may not understand how phishing, social engineering and malware work and the dangers they pose to your business.
- Do insurance providers grasp the privacy and security requirements that GDPR imposes on your industry?
- Do they understand the importance of the Bank of England’s guidance on operational and digital resilience in financial services?
- Do you hold confidential data or high value intellectual property?
- Is our policy flexible enough to adapt as our business grows?
- Your cybersecurity liability policy should be flexible enough to adapt to malicious actors’ tactics. It should also allow your organisation to adapt and change as your business and technology needs grow without having to augment your policy.
- At the same time, your team should actively review your cyber policy at each renewal time. If you do not feel equipped to determine whether your policy is sufficient, get help — either from an in-house team, outside legal counsel, or an experienced and qualified consultant such as your Tycom vCIO.
- Understand your Cyber Insurance policy excess fees?
- Verify what your policy excess is for each type of insured cyber incident.
- Ask your insurer, what happens if you were to suffer multiple types of incidents from one attacker over a sustained period, do you pay one excess policy fee or multiple fees for each incident type?
- Be bold. Ask your insurers what happens to renewal premiums in future years if you have had to make a claim.
The responsibility for protecting the companies systems, network and assets sits at the very top. The business owners or board of directors own the risk. The role of Tycom is to make sure they understand how much risk he or she would carry by not having adequate cyber protections in place. The senior leadership team should also discuss and be comfortable with the cyber risk appetite as part of its oversight role of management’s activities.