When a data breach occurs despite the best security due diligence, an organization can be left scrambling to manage the fallout. Most companies utilize business continuity and disaster recovery plans to quickly restore order and get back to doing what they do best—running their business. However, cyberattacks can leave enterprises with financial hardship and unquantifiable losses, such as a damaged reputation. Those losses can extend to the organization’s client base as attackers target an even wider audience. Cybersecurity insurance can be a valuable support system, covering financial losses associated with cyber theft.
What is Cybersecurity Insurance and How Does It Work?
Cybersecurity insurance is a product that provides financial protection for organizations that fall victim to cyberattacks and data breaches. With cybersecurity insurance, enterprises can mitigate the impact of cyber crimes that threaten IT infrastructure, IT security policy, and information governance (IG)—sections usually not covered by traditional insurance policies.
Similar to other forms of insurance, cybersecurity insurance is designed to cover the losses an enterprise experiences from a cybercrime. Cybersecurity policies typically include first-party coverage for damages that directly impact an organization. It will also include third-party coverage to protect any enterprise affected by the cyberattack due to the business relationship they share with that organization. Along with covering the financial losses of a cyber attack, cybersecurity insurance can also cover costs involved with the remediation process, such as refunds to affected customers, legal services, and crisis communication.
When applying for a cybersecurity insurance policy, organizations must meet certain requirements to qualify for coverage. The requirements help organizations prove that they are upholding healthy protocols to help mitigate the risk of a cyber attack. By doing so, enterprises will have a much easier time getting a claim approved if necessary. While each insurance company may have its own set of requirements, here are six of the most common:
Fortified Access Controls
One of the first things a cybersecurity insurance company will look at is the strength of an organization’s access controls. Access controls are the entry point users must satisfy to access data. By fortifying access controls, enterprises can help keep unwanted users out of their systems. It utilizes two main elements: authentication and authorization. Authentication verifies a user, while authorization determines if that user is allowed to access certain data. Each organization may utilize different access control frameworks. Here are three of the most common:
Discretionary Access Control (DAC)
The administrator of a resource determines an individual user’s access level.
Role-based Access Control (RBAC)
Access is granted based on a user’s role in the organization instead of a single user account.
Attribute-based Access Control (ABAC)
Users must have corresponding attributes to gain access. Some examples include job title, location, and time.
Routine Vulnerability Assessments
Cybersecurity insurance companies want to know that an organization is keeping a regular eye on its network to ensure weaknesses in data security are addressed. One common vulnerability stems from authentication, attributed to stolen credentials or weak passwords. Unauthorized users can breach a network by posing as a legitimate user. Once inside the network, cyber thieves can cause enormous damage to an enterprise.
Incident Report Plan
When a cybercrime is committed, every minute counts. Quickly shoring up a cyber breach can save an enterprise from catastrophic losses. Once a cyber attack is underway, incident response plans guide response processes and procedures. They allow personnel to mitigate the risk rapidly and efficiently. Part of an organization’s incident report plan includes the following:
- Who to notify and how
- What information needs to be collected
- How to categorize the security breach
- Post-mortem review of the incident
- Identifying the root cause and how to resolve it moving forward
No matter how robust an organization’s cybersecurity measures are, they can all be undone by uninformed end-users who leave the door open for cyber thieves. Regular cybersecurity training for employees is paramount if cybersecurity measures are to have any effect on cyber threats. For instance, employees can be taught how to create strong passwords, avoid opening applications that have viruses, and identify unsolicited email attachments.
As the digital workforce embraces remote work over multiple mobile devices, organizations must implement multi-factor authentication to ensure legitimate access to data. Multi-factor authentication requires users to submit two forms of verification to gain access to an enterprise’s network and data. Typically, the first form is a pin or password. The second may be a code generated by an application or a biometric marker, such as a thumbprint, voice ID, or face ID. The layered protection of multi-factor authentication makes access to data much more secure.
Whether data is stored in the cloud, on-premises, or being transferred, encryption protects data by scrambling it into code. Organizations can employ end-to-end encryption (E2EE), which encrypts data and creates a key only the creator controls. Not even a third-party service provider can access it. Even if they intercept the data, would-be cyberthieves won’t be able to unscramble it without the key.
Cyber Security Insurance Claims Process
In the event of a cyberattack, an organization should take the following steps to file a claim properly:
Contact the Insurance Company
Notify the cybersecurity insurance company right away.
Provide Detailed Information
Submit written proof of the loss. Include details, such as time, place, and the cause. Estimating the loss and providing documentation to support it is also important. Most insurance companies will allow a ninety-day window for companies to gather information. They may extend the window if losses are still occurring outside of that timeframe. Enlisting the support of a forensic accountant to represent the organization’s interests can be extremely helpful. They can calculate the financial loss and present it to the insurance company.
Review Policy Details
Organizations suffering income loss or extra expenses should review the insurance policy to confirm what’s covered. Insurance companies may use different language when defining “extra expenses” or “business income loss.” It’s also important to clarify how long the policy will cover losses.
Enlist the Help of Approved Vendors
When managing the fall-out of a cyber attack, it’s helpful to work with third-party vendors specializing in response and recovery. In certain cases, cyber insurance policies can include “vendor panel” clauses, which state that organizations can only enlist the help of panel-approved vendors. Going outside the approved panel can result in denied reimbursement or only partial reimbursement. It’s important to discuss options with the insurance carrier before proceeding.
Each vendor an organization hires to help with response and recovery must provide detailed statements of work (SOWs). With SOWs, enterprises can submit detailed bills to the insurance carrier to reimburse expenses.
How to Avoid Cyber Security Claims Denial
When it comes to avoiding cybersecurity claim denials, organizations must observe the language in their policies. Here are three common ways insurance companies deny claims:
Some insurance carriers contain vague language in their policies, such as “failure to maintain” or “failure to follow.” This type of language protects insurance companies from having to reimburse companies that did not adequately maintain solid security measures for their data. Organizations must scrutinize the language in the policy to ensure the exclusion of clauses or wording that can undermine a claim. An enterprise’s cybersecurity team should be able to confirm the accuracy of current cybersecurity measures needed to meet the policy’s requirements.
PCI Fines & Assessments
Some cybersecurity insurance companies have policy clauses restricting coverage for payment card industry (PCI) fines and assessments. Insurers can limit reimbursement or deny claims based on these clauses when an organization has a data breach that exposes customer credit card information. How the breach occurred is also important. If a virus or self-propagating code was utilized in the attack, PCI coverage may be denied.
The ransom value a cyber thief demands can be disproportionate to the losses an organization sustains. For example, a $20,000 ransom can result in a $500,000 loss of income. Also, ransomware attacks can leave a company with a poor reputation, inflicting financial hardship on the enterprise. These losses are hard to quantify for insurance companies. Cybersecurity policies usually have a limit per each clause and a sub-limit for each specific element. Organizations should review the extortion insuring clause to understand the set limits.
With over forty-two years of experience, Cynergy Technology is a leading provider of cybersecurity solutions. Our backup and disaster recovery solutions can help your enterprise return to work quickly. As a managed service provider, Cynergy Technology can safeguard your enterprise in several ways, including 24/7/365 security oversight, network security tools, anti-phishing, education and training, vulnerability assessments, and more. If you’re considering applying for a cybersecurity insurance policy, we can help you meet any requirements with our diverse and robust cybersecurity solutions. Contact us today for a free consultation!