There are all types of insurance you need to carry for your organization — property insurance, workers compensation, liability — the list goes on. But cyber insurance seems to cause more confusion than the others, and that confusion could damage your business for years or put it out of business.
Cyber insurance is designed to cover your liabilities in case you suffer damaging events with your systems, or experience data breaches. It’s important to have the right insurance that’s designed for your needs — and to understand its limitations.
And, as you’ll see in a moment, there are scenarios when your insurance won’t protect you for the coverage you thought you signed up for.
Signing Up for the Right Cyber Liability Insurance
As with most types of insurance, you’ll need to go out and do your own analysis, digging, and comparisons when shopping for cyber insurance. It’s important to understand the coverage you need and the circumstances for that coverage. Ask exactly what is covered and protected, and what isn’t. Find out to what extent it’s covered.
Also do your due diligence to determine the scope or scale of protection that your organization actually needs.
Ponemon Institute does an annual cost per breach study. It’s a terrific metric to use in your insurance research. They interview organizations each year that really had a breach and aggregate the costs to the organizations. They break that data down to cost per record. While evaluating how much you have to protect, determine how many sensitive data records your organization has and check the latest numbers from Ponemon. If you were to have a massive breach, how much exposure would you have? It’s an incredibly helpful barometer for estimating your potential costs.
While searching for the right cyber insurance for your company, use an insurance agent who has a purview over several different carriers. This will save you a good deal of time and effort.
That Insurance Application Survey Is More Important Than You Think
Many organizations don’t realize that the most important element of cyber insurance is the application survey you fill out when you sign up. There are all sorts of questions to answer — what type of business, what types of information you need to protect, etc. There’s also a series of questions about your security practices:
- Do you have antivirus software in place?
- Do you have firewalls in place?
- Do you go up against a particular security and compliance standard?
- Are you doing regular, recurring vulnerability scans?
- Do you have logging in place?
And so forth. If your company already has cyber liability insurance, someone in your organization filled out one of those surveys when you purchased the insurance.
Here’s where it gets sticky. The insurance arena is usually seen as a business function, and it’s typically owned by someone in the finance department. Because the questionnaire is seen as a formality, they may not come to others for help filling it out. In fact, this is very common. And this is where things can go wrong.
A lot of organizations will operate under a false sense of security, thinking that they’re protected under the coverage they just bought. But if someone simply answered “yes” on the questionnaire, all the way down the line, you might not be covered at all.
If you already have cyber insurance, now is a good time to do some sanity checking. Find out who filled out the last survey and how it was filled out. What did they say your organization is doing — and are you really doing it?
This sanity check could save your company millions of dollars, and here’s why.
Not Actually Protected?
I’ve been pulled into a couple different engagements where the company was already in trouble. An event had occurred, and they were ascertaining what had happened and doing forensic investigations. To their great surprise, the cyber liability insurance wasn’t going to cover anywhere near what they thought.
The first thing an insurance company does when you make a claim is check your survey and start asking questions. “How did this breach occur if you had these protections in place? Show me that these things are still in place.”
In the case of the companies I dealt with, their survey responses didn’t match their security practices. Their claims were only partially valid. The business owners were caught in the middle, trying to negotiate on bad footing with the insurance company while dealing with the fallout of the accounting department filling out the application survey incorrectly.
If someone in your company just answered yes all the way down the insurance survey, the coverage you thought you had might not apply, because you aren’t doing the things that you attested to doing in order to qualify for the coverage in the first place.
From what I’ve seen, most companies aren’t doing the things they should be doing, and their cyber liability insurance could be at risk.
Cyber Insurance Was Never Designed to Protect
Imagine a restaurant having fire insurance but never cleaning their grease traps. Grease is going to keep building up and building up. Eventually, that restaurant is going to have a fire, guaranteed. Fire insurance might give them funds to rebuild (while being closed down for months), but cleaning their traps would have prevented the fire in the first place. They should have kept the insurance and added the proactive measure.
Cyber insurance isn’t designed to protect your company. Insurance can’t prevent disaster or protect your data. It can’t ensure that bad things won’t happen to you. And insurance can’t protect your reputation. It can only reimburse you for financial losses, after the fact.
Invest in Real Cyber Protection
Cyber liability insurance is your holy-moly, something unforeseen went horribly awry emergency parachute. It’s your backup plan. Your primary shield of defense is having a good, solid, proactive security program.
A well-running security program is a far better shield than any insurance plan could ever be, because it actually reduces the risk to your organization. With cyber insurance, you’re trying to mitigate risk. But is there any better mitigation actually removing the problems that could cause risk?
Security and Compliance Made Simple
TCT Portal lets you easily and confidently confirm that you have everything in place to be protected. It’s your helpful tool to stay on track, know where you’re at, be proactive, and help leverage your cyber liability insurance if you ever need it.
You’ll also save time navigating the compliance waters and keeping everything organized in one place.
I would hate like hell to think that everything is golden for my company, and that we have everything in place — only to find out that the protection isn’t worth the paper that we signed. It’s just too hard to build an organization from scratch, only to see it evaporate. And it happens to companies every year.
But it doesn’t have to happen to you.