Thank you for Subscribing to Insurance Business Review Weekly Brief
Cyberattacks are on the rise, and they’re getting more sophisticated by the day. Whether you manage network security for a small business or a large enterprise, your cybersecurity strategy no doubt includes the basics, such as firewalls, antivirus software, and multifactor authentication. However, if you truly want to reduce the financial impact of cyber risk, you should consider integrating cyber insurance into your incident response plan. A comprehensive cyber insurance policy can do more than cover costs associated with a ransomware attack or data breach. Cyber insurance can often provide proactive risk mitigation resources, as well as critical services such as breach response support to help your organization get back up and running quickly should a cyberattack occur.
The challenge for most organizations is that the person often tasked with the purchase of cyber insurance (typically the Risk Manager or Treasurer) resides in a separate reporting structure from the CISO or CTO. So, the question remains, how do you successfully integrate cyber insurance into your incident response plan and manage risk collaboratively across the organization? Here are a few tips to help you get started. WHAT IS CYBER INSURANCE? Broadly speaking, cyber insurance covers the costs associated with the loss of your data or damage to your network. It also covers the costs of defense (as well as settlements or judgments) resulting from third-party claims brought by private parties or regulatory agencies. Cyber insurance policies typically cover the following out of pocket expenses: • Data breach event management (this includes the costs of hiring an attorney specializing in data privacy who can advise the company of its obligations, as well as engaging a forensic investigator, offering credit monitoring to impacted consumers, and engaging the services of a public relations consultant) • Business interruption (this refers to the lost income and extra expenses resulting from an outage to your company's network) • Cyber extortion loss (this refers to the cost of hiring a threat consultant as well as the payment of ransom, unless such payments are being made to an entity sanctioned by the government) • Data restoration services (in some cases, policies will also cover the costs of computer hardware replacement, also known as, "bricking" coverage) and • Cybercrime coverage (this reimburses the insured for the losses associated with misdirected payments or uncollectible receivables due to social engineering or invoice manipulation. It can also respond in cases of utility fraud, also known as "crypto-jacking"). “Cyber Insurance Has a Role to Play in Helping Your Company Identify the Preventative Measures that Can Help Thwart Attacks and Make Your Business More Resilient Should One Occur” Although small businesses have only recently begun to warm up to Cyber insurance, the coverage has been essential to the risk management strategy of most large companies for years, and with good reason. A study conducted by IBM and the Ponemon Institute found that the average cost of a data breach in the United States was $4.24 million in 2021, up significantly from $3.86 million the previous year. And data breaches are only one type of a cyber event that cause financial and reputational harm to a business. Because of the steep payments that insurers have made on these claims, the coverage has become much harder to qualify for. In fact, the underwriting process itself can serve as a "gut check" for companies to ensure that they have proper controls in place. No cybersecurity plan is foolproof, and without a way to transfer the portion of the risk that can never be eliminated, your organization may face costly consequences down the road. WHY INTEGRATE CYBER INSURANCE INTO YOUR INCIDENT RESPONSE PLAN? Your cyber insurance policy most likely contains a list of pre-approved vendors (or "panel firms") that you will be required to use in the event of a data breach or other incident. It makes sense to confer with these service providers in advance and to even conduct a tabletop exercise so that everyone understands how the company will respond in the face of an attack. Your insurance broker should have a seat at the table to explain how the coverage might apply to different loss scenarios. Developing an incident response plan goes beyond knowing whom to call at the insurance carrier's hotline; business leaders should establish procedures for resuming secure communications if the network has been compromised. They should also determine who has the authority to decide whether to voluntarily shut down the network, whether and under what circumstances they would consider payment of a ransom to terminate a cyber extortion threat, and how to message updates to regulators and stakeholders. This information should be stored offline and be readily accessible to decision makers in case their email has been compromised and their files become encrypted. Additionally, if the company wishes to use a particular service provider (such as a law firm or forensics team) that is not on the insurance carrier's panel, your broker can seek to have this firm added to the policy by endorsement. That is a conversation that should take place with the underwriter prior to there being an incident; it becomes a much harder request to accommodate while an attack is playing out in real- time. THE BOTTOM LINE: Cybersecurity is complicated and the types of threats businesses face continue to evolve. However, insurance has a role to play in helping your company identify the preventative measures that can help thwart attacks and make your business more resilient should one occur. Cyber insurance also connects you with qualified service providers who can help your business respond to an event. By taking advantage of this coverage, you can reduce the likelihood and severity of these incidents.