Protecting clients from cyberattacks is our most pressing responsibility.
It requires a massive investment in talent and tools to provide this service effectively. For our clients who embrace our advice and adhere to our recommendations, we believe that their level of protection is best-in-class. Even so, nothing is guaranteed because cyber-risk is extremely difficult to mitigate.
We give every client this message about cyber-risk management:
“You can outsource the responsibility to us but you cannot outsource the liability.”
The underwriting of cyber-risk insurance is a messy business that is hard to navigate. Getting the right policy is not easy but having this type of insurance is mandatory. A strong managed IT provider is an important partner as you move through the process of getting your cyber-risk insurance policy.
Here is the good news. The protocols you need to follow in order to qualify for cyber-risk insurance dovetail with cyber security best practices. Getting the right policy is challenging but the process will make your company stronger, safer, and protected from risk.
Cyber-Risk Insurance Liability Coverage
When a business is a victim of a cyberattack, it can cause financial damages that the insurance industry organizes into four silos. These are the liabilities cyber insurance is designed to safeguard against.
- Core Business Losses – Any lost revenue due to breach or direct expenses to rebuild systems and recover data.
- Breach Management – Notification of the appropriate parties, crisis management, and post-mortem investigation.
- Regulatory Actions – Federal and state regulations often require organizations take specific steps when responding to a breach. These vary by industry, geography, and data affected.
- Civil Lawsuits – Breaches often result in civil lawsuits that must be litigated and resolved.
One look at this list and it becomes clear that the disruption to business operations caused by a cyber-attack is potentially far reaching, long term and exhausting. When an insurance company is at risk to cover these liabilities, their legal and consultative resources are likely to be as valuable to the victim of the crime as is their financial obligations to cover losses.
Cyber-Risk Management Compliance
Businesses can anticipate a compliance check list from the underwriter that will include all of the following items. This list might seem extensive, but it reflects the necessary protocols when qualifying for cyber insurance.
- Are you aware of any unreported cyber-attacks or breaches to your business?
- Please provide an inventory of all devices used by employees to access their work-related functions.
- Please describe the employee functions at your company that require use of computers, smart phones, servers and Internet access.
- Does your company allow any employees to have remote access to your network?
- If yes, do you require multi-factor authorization to secure remote access?
- If yes, do you have a VPN (virtual private network) that must be used to access your network?
- Do you use multi-factor authentication for access to cloud-based email accounts?
- Do you have a regular routine for cyber security awareness training for all employees? Are anti-phishing systems in place that test each employee’s susceptibility to fraud tactics?
- Do you routinely implement critical security patches for all of your software products used by the company?
- Do you scan all incoming emails for potentially malicious links and attachments?
- Do you protect all of your devices with anti-virus, anti-malware and endpoint protection software?
- How do you backup critical data?
- Are your backups to a server that is offline?
- Are your backups using a cloud-based service designed for security?
- Are your backups encrypted?
- How frequently do backups occur?
- How do you test your backup systems for full recovery of data and full recovery of server configurations? When did you last conduct a successful test?
- Are you using any hardware or software that is past its end-of-life support date? If yes, is any EOL software you are using isolated from the rest of the network?
- Do you use Microsoft Office 365?
- If yes, which Windows defender or advanced threat protection products are you using specifically for MS Office 365?
Any company that is already following the recommendations of their IT advisor will see this list as reasonable and logical.
No business leader is excited to learn that getting cyber-risk insurance is at the top of the project list, but it is. The most constructive approach is to embrace the reality that your company’s lawyers, lendors, insurance brokers and IT advisors are all more-or-less on the same page when it comes to the best-practices for managing cyber-security risks. Pull in your IT advisor and get it over with.
NOTE: EO Advisor would like to thank Bill McLean, CIC for his patience, wisdom and guidance while we were drafting this article. Bill works at Banker’s Insurance here in Asheville – they are the insurer of record for Electronic Office. Banker’s Insurance has a web page dedicated to information about cyber liability insurance that readers of this article will find useful.