“A key component of why it’s so critical to integrate the insurance with the MSSP, is because you need to understand what you currently have in place, establishing a baseline, and then opting for coverage. Too many times people don’t know what their situation is, which can lead to litigious claims scenarios or denials down the line,” says Andres Franzetti.
How does insurance fit within your cyber protection strategy?
According to Dan Dickenson, “In servicing the SMB market – from 500 to 50 seats – over the course of many years, we’ve seen a lot of cyber incidents. They are a crime of opportunity, and a crime that has virtually no cost to the criminals who try to attack your security infrastructure.”
While the threat landscape has evolved, what hasn’t changed is the human factor. Almost all attacks involve a person making a mistake, and while good security habits can help, ultimately cyber insurance coverage is needed to protect the business.
“We often tell clients that cyber insurance is an important part of a cybersecurity strategy. Have a conversation with the client, the security team, and the broker to review your policies and ensure your business requirements and your technology are aligned with your coverage. Many times, we find gaps there,” cautions Dan.
While the cyber insurance market has seen wild fluctuations over the past few years, with premium increases and lack of access, it’s now softening slightly as insurers are able to use data to make more calculated risks.
If you have a computer, you have cyber risk. Then, it’s up to you to determine if you have the resources to deal with a cyber-attack on your own, and smaller companies are going to struggle the most. In today’s environment, even mid-sized firms are unlikely to have the resources needed to effectively manage cyber security in-house and almost certainly do not have the resources needed to handle a cyber incident.
“Cyber coverage, a good MSSP, a good IT provider are really necessary for almost any organization today because the complexity is ramping up so much,” Dan argues, and “just like the attack surfaces and technical requirements have really ramped up over the last five years, the business requirement have and will continue to ramp up as business contracts also require attestations of cyber coverage.”
What is cyber insurance?
Many people mistakenly think their cyber risk is covered with the bundled insurance they have in place, and too often they’re not adequately protected. While general liability insurance is meant to address third-party liability (mostly physical harm or property damage – think, slip and fall), and professional liability insurance addresses issues with the service a business is providing to its customers, cyber insurance and cyber liability are very different. These policies come into play when a cyber breach occurs, to cover the damage to the organization as well as potential data related damages to the organization’s customers. “There’s a lot of nuances with cyber coverages and cyber insurance policies out there, so it can be very daunting for the uninitiated,” Andres explains.
Security and privacy liability coverage is the most commonplace cyber insurance policy, which is triggered when a breach takes place and data is compromised. The coverage addresses liability, regulatory compliance requirements, and remedies for impacted individuals. Another coverage is breach response, which includes activities performed by your MSSP or IT providers to get the business back online, which not all policies include.
To complicate matters, cyber policies can also cover proprietary research and IP (multimedia liability), the cost of claims and assessments (privacy regulatory claims coverage), business interruption, reputational harm, and digital asset restoration. For firms that offer technology as a service, Technology Errors & Omissions coverage is a blend of professional liability and cyber.
Andres notes, “There’s no shortage of real-world cyber incidents to look back on, which is why it’s so important to know what the landscape looks like and have the right partners in place.” Sometimes the easiest and least expensive coverage to procure (for example, a general liability with a cyber endorsement) is not going to provide enough coverage to get your business back online if an incident occurs.
It’s a classic example of ‘you get what you pay for.’ Andres recommends the stand-alone products that provide additional third-party coverages and require a more rigorous underwriting. In fact, robust cyber coverage can actually bring in resources and services to address your cyber incident, such public relations crisis communications. Moreover, there are front-end protections like assessments and testing to help firms better position themselves to prevent a breach – as well as better pricing and coverage based on top-tier preparation.
Good cybersecurity is a force multiplier.
Technology capabilities have never been greater, which means increased complexity and more intersections of technologies among day to day business activities. Says Dan, “Every time we’ve engaged with insurance providers around high quality policies, it always yields a greater comfort and greater protection in the organization.”
Cyber insurance can be the forcing function to help organizations take up security recommendations IT providers have been making. But it’s not the end all solution; there will always be limitations and exclusions. Coverage can be triggered or denied based on actions taken or not taken.
Cyber coverage evolves year by year, in what minimum security is required and what is covered based on the accumulation of data about losses from carriers. “The risk as it stands today is not the risk of tomorrow, so carriers are continually looking for additional data and learning from the past. Tougher underwriting is in place to enhance coverage and carrier protection.” Andres
Insurers are doing vulnerability assessments themselves as part of an organization’s cyber insurance application process, and if they find a gap, they could decline to even quote cyber coverage. Then, there’s the underwriting process itself, which has adopted increasingly rigorous security standards for coverage.
Andres says, “Any c-suite is going to contemplate the ROI, and I think insurance and cybersecurity go hand in hand. You can really see the impact of having proper cybersecurity in place, how good practices can lead to those insurance discounts, insurability and greater coverage.”
When the world was jolted awake to the risk of cyber attacks starting in the 90’s, leadership began to grapple with cyber risk and security. Over the past 20 years, more standards and enforcing organizations have come into existence and most industries now have a cyber component to their licensing and operating requirements. “Technology evolution is creating new risks, creating increased premiums, and creating new solutions to help facilitate responses. Being prepared and having integration with your MSSP is so critical to building cyber resiliency.”
VIEW THE WEBINAR RECORDING: