Open in app

Sign in

Write

Sign in

Cyber Insurance is not a Cybersecurity strategy

Dale Frohman
4 min readJun 28, 2021

--

Up until recently, companies were leaning on their cyber insurance policy as their business continuity plan and cyber defense strategy. It was an excuse to not invest in good security practices and products because the policy would cover financial losses meaning they could cut IT investment.

This is coming to an end.

The insurance carrier AXA announced that it would stop covering ransom payments under its cyber insurance policies in France and other carriers are following suit. Even if they stay in the game, premiums are already on the rise.

Reportedly, bad actors searches the systems it infiltrates — prior to encrypting them with ransomware — to find information about the victims’ cyber insurance coverage, and adjusts ransom demands accordingly.

First, let’s look at what cyber insurance policies do not cover

  • They will not pay out if the business has not taken normal and adequate care to secure their property against the threat
  • Your reputation and reputation damage
  • If you are a non-profit, monetary contributions that donors haven’t made yet
  • Upgrades. If you decide to upgrade as part of the restoration process to prevent future vulnerabilities, your policy may not cover this
  • Getting rid of attention from regulators
  • Future profits
  • Decreased valuation due to electronic theft of intellectual property

What does your cyber insurance policy cover?

  • First-Party Expenses: Incident response and digital forensics services, PR services to manage reputational damage caused by a breach, notification to affected parties, credit monitoring services and other expenses.
  • Third-Party Expenses: Defending liability claims and/or fines and penalties assessed by regulating authorities. Think legal fees and HIPAA fines.
  • Cyber Crime Costs: Financial losses resulting directly from criminal activity.

What to look for in a policy?

  • What type of events are covered? DDoS, Ransomware, Malware, Electronic Theft, Deletion of Data, Cyber extortion, etc…
  • Does it cover social engineering attacks such as phishing and spear phishing?
  • Does it cover legal fees and penalties?
  • Notification to affected parties?
  • Forensics and professional services
  • Incident response coverage
  • Loss of income due to disruption of operations and how long does the disruption have to be before the policy kicks in?
  • What are the requirements to make a claim? If you can’t provide certain data and evidence, you may not be able to make a claim

What should you prepare for when shopping or renewing your policy?

Each provider will require a questionnaire and supporting evidence as proof to satisfy that your answers are truthful and accurate.

Here are a few examples:

  • Do you use multi-factor authentication for email and server login?
  • Do you maintain daily offsite backups of all critical data?
  • When was the last time you tested restoration of the offsite backup?
  • Is any part of your IT infrastructure outsourced to third party providers?
  • Disclose previous cyber incidents
  • IT operational and capital expenditure on security last year
  • Percentage of infrastructure managed in-house vs outsourced
  • How many dedicated employees in an IT security role?
  • Who is responsible for IT security?
  • Describe the type, nature and volume of the data stored on your network
  • Total unique individuals you hold data on
  • Data retention policy and how often you purge records
  • Describe your data backup policy in detail including frequency of backups, technology used, type of backups, storage method, how often you backup, how often you test restores
  • Do you use RDP?
  • Describe your process for patching OS and applications
  • How often do you conduct vulnerability scanning?
  • How often do you conduct penetration testing of your network architecture?
  • What security controls are currently in place? IDS, IPS, WAF, Firewalls, DDoS mitigation, employee training, Encryption, etc…

Expect more scrutiny of your program, and possibly the involvement of auditors to validate your claims. Check your insurance policy to see if investing in a certification program — such as ISO 27001 or HITRUST might decrease your policy premium. If you are a cloud or managed services provider and/or are part of other organizations’ supply chains, you should expect to receive more scrutiny from your insurer on the strength of your cyber security program

Take advantage of any educational opportunities your provider offers on cybersecurity best practices and improvements. This could also lower your rates.

Unfortunately for policy holders, cyber insurance can come with fine print, loopholes and gaps that may result in claims not being paid.

While cyber insurance can be essential to helping your organization recover, it should not take the place of a strong cyber security program. At minimum your cyber security program should include a

  • Cyber Security Plan,
  • Business Continuity
  • Disaster Recovery Plan
  • Incident Response Plan.

These plans should be tested, reviewed and updated at least annually along with your penetration test and vulnerability assessment from a qualified third party.

Cybersecurity plus cyber insurance equals balanced risk management. It’s not one or the other. No cybersecurity program can eliminate all cyber risk to a business. That’s why you also need cyber insurance, to pick up where the security program leaves off by providing coverage for risks that cannot be mitigated.

15 minutes won’t only save you 15% on your cyber insurance, it can also save your company :)

--

--

Dale Frohman

Written by Dale Frohman

22 Followers

Principal Site Reliability Engineer. Cyber Security Professional. Technologist. Leader.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams