Most insurance carriers do not include coverage for cybersecurity events in the normal business continuity or business resilience insurance offerings. The world of business insurance has a subcategory known as cyber insurance, cyber liability insurance, internet liability insurance, or data breach insurance. SMB’s should absolutely investigate getting this coverage. Vista IT Group now requires it to become a fully managed customer.
Why Do You Need Cyber Insurance?
This type of insurance kicks in when you have a cybersecurity event like ransomware or a data breach. Even a small business with around 25 employees and a couple of servers can easily and quickly rack up hundreds of staff hours of labor. We have written about the cost of cybersecurity breaches and ransomware attacks before. We cannot emphasize enough, the process of recovering from a ransomware attack is a painfully slow process. Many computer viruses can even hide inside things like multi-function printers. It can happen to anyone – including you. The faster your business wants to return to operation; the more people and tools need to be involved which drives up the costs substantially. Your business may find itself:
- Needing to pay extra ransom
- Found liable for any personal information that could result in identity theft
- Found liable for attacks against third-party companies affiliated with your organization
- And/or found liable for fines and penalties for regulatory non-compliance (e.g. PCI, HIPAA)
How Do You Get Cyber Insurance?
The easiest way is to contact your existing business insurance agent. Different insurance carriers may use some of these terms differently or interchangeably: cyber insurance, cyber liability insurance, internet liability insurance, or data breach insurance. Make sure you keep track of how the terms are used across different insurers. It will help if you have already thought through the coverage your organization needs. The Federal Trade Commission has a page on cyber insurance with a list of questions for you to think about and ask during the process. Your agent will ask you a series of questions, may have an application form for you to fill out, and you may be required to sign attestation forms to get a policy.
What are Some Common Mistakes to Avoid?
To make sure you have the right coverage at the right price, you need to make sure you understand what is (and isn’t) covered and re-evaluate your policy every few years. But there are some things that are a little more unique to cyber insurance that might trip up an organization.
-
Store Your Insurance Policy Information in Multiple Places and Ways
If your network is offline due to a cyberattack, you won’t have access to your file share and maybe even your workstations. At an absolute minimum, keep the insurer’s name, contact phone numbers, and your policy/contract numbers available in a way that doesn’t need the business’s computer systems. If you are becoming a managed service customer of Vista IT Group we will always ask you for this information and we will keep a record of it for you as well.
-
Understand The Insurer’s Requirements and Processes for Filing a Claim
Most insurers require a firm certified in forensic investigations to be the first responder. Your organization’s claim may be completely invalidated if anyone starts doing anything without being expressly advised to do so by an incident response team the insurer recognizes as experts. Once you have the paperwork signed to start your policy, make sure you ask the insurer what can and cannot be done in the event of an incident. These days, that usually involves unplugging network connections to your internet router and calling into a dedicated cybersecurity call center to start the claim and engage the forensic IT firm. Vista can assist with the recovery process, but we will only act after the insurance company has been contacted and the desired actions are authorized by the incident response team.
-
Accurately Filling Out the Paperwork
This may sound like common sense, but it often is not. Often, staff will think they know the answer to a question, but they don’t understand the full nuance of the question and we are talking about contract law here. This is another area where Vista might be able to assist your organization. For example, does your organization enforce multifactor authentication (MFA) for all administrator-level accounts? Just because multifactor authentication isn’t supported for an administrator-level login doesn’t mean it’s not considered a requirement. The insurance company may require alternate security controls like a management network that is only accessible via a management device that can be secured with MFA. These kinds of mistakes can cause a claim dispute as in the case of Travelers Property Casualty Co. of America v. International Control Services Inc. which resulted in complete negation of a cyber insurance policy.
-
Understand Your Regulatory Obligations
These can be international, federal, state, and even local municipality regulations. There are a lot of ways to be covered by a regulatory framework without knowing or fully understanding how they apply to your organization. For example, storage of other entities' full primary account number (PAN) information can make PCI rules apply to you even if you only keep them on file to use with a payment processing service. The FTC Safeguards rule was recently amended to include anyone that provides financial advice to consumers including businesses acting as real estate appraisers, tax preparers, or even just linking consumers to businesses that have financial services.
We cannot emphasize enough how important cybersecurity insurance is. Recovering from a ransomware attack is a slow process, takes a lot of staff hours, and costs a lot of money.
If cyber insurance is something you are interested in but don’t know where to start, don’t hesitate to reach out. We’re happy to help! |
Want to see more articles like this?
Get great content delivered to your inbox!
