The topic of cybersecurity insurance seems to be on the radar of most organizations I speak with. There are a lot of questions around how much coverage is needed and what exclusions one should be on the lookout for when purchasing a policy. I usually try to use this as an opportunity to talk about what a cyber insurance policy is not, and I’ll get to that later.
I do not really give a detailed answer to these questions though. The truth is, it can vary… other than noting that the insurance companies selling the policies typically have a formula for calculating the amount of coverage needed. This policy coverage is based on the amount and type of data at hand in conjunction with the preventative measures already in place by the organization. The exclusions can also be a real nightmare, depending on the extent and type of incident and, again, the preventative measures already in place. There could also be regulatory fines incurred after an incident that are not covered by a policy.
Cyber insurance coverage can be very problematic from the notion that it is relatively immature. The industry lacks the historical cyberattack data that other insurance coverage areas have. It seems many of the policies are focused on organizations that maintain personal identifiable information (PII) or personal health information (PHI), even when an organization does not handle PII or PHI, but is susceptible to cyberattacks, such as ransomware and cyber extortion. Due diligence must be put into understanding what the policy does and does not cover to ensure that there are no issues in the event that it is needed.
In our next blog, my colleague Bryan Allison will detail out considerations for purchasing a cyber insurance policy. But first, we will discuss what cyber insurance is not…
Cyber Insurance Is Not...
It’s not uncommon to hear people say, “Why do we need to do an IT Audit or a penetration test? Didn’t we just fill out a checklist and pay for a cyber policy, we’re secure right?”. Cyber insurance policies should certainly be part of an overall incident response strategy, but a policy alone is not going to save you from all aspects of a breach. The point here is simple: you should not hide behind a cyber insurance policy. It is not a “Get Out of a Breach Free” card. Cyber insurance should be part of your recovery strategy in the event of an attack, but the focus should be placed on solid network maintenance, policies and procedures, and regular advanced penetration testing of your organization’s infrastructure.
I have helped fill out several dozen questionnaires for cyber insurance policies over the past few years and most have been in-depth. There are also some vague questions that would lead an insurer to believe that an organization has a control in place, such as a security operations center, when they really have a network administrator giving best effort to review failed login attempts manually here and there. That alone is frightening because the policy could be void day-one due to inadequate controls with no organized audit trail able to be provided.
Even the most robust policy will not cover all aspects of a breach. On top of the regulatory fines, that likely will not be covered, there is the reputational damage that an organization suffers if an incident occurs. There is no replacement for a strong IT shop with dedicated security analysts or a partnership with a dedicated cyber security firm, NOT a hardware re-seller that just started offering penetration testing. If you are not taking real steps to secure your environment, you likely will not see a single cent of a claim on that newly purchased cyber policy.