If you’re like many business owners nowadays, you’re probably considering options when it comes to cyber insurance. Cyber insurance will likely protect you from a variety of liabilities that you’ll incur if a cyberattack successfully penetrates your business network.
Legal Expenses—if your company is in fact breached, you’ll want to get some legal advice to be informed of all of the specific obligations you have under state, federal and local laws. A company needs to move swiftly through a breach to survive and having legal counsel experienced in cyber incidents can make a big difference.
When sensitive data gets leaked, there may be numerous legal up-hill battles in front of your business. Cyber insurance usually includes coverages concerning about any of the legal incidents.
Forensic work—when your company discovers a breach, you are obliged to determine what has happened and what information was exposed. Expert forensic examinations determine the source of the data breach or attack and, more importantly, help identify files that were touched during the breach.
Cyber insurance should help you determine what was the cause and what files were exposed during the attack—including any sensitive data—need to be evaluated and who needs to be notified of the breach.
Notifications and Press Releases—your company will be required to release a press statement and notification of a data breach. Especially if you have strong regulatory pressure—such as NCUA, PCI or HIPAA—your business will need to notify clients, associates and the public of your breach/attack.
Credit and Identity Monitoring— you will likely be responsible for ensuring identities of your users and clients are safe as a breach requirement.
Your insurance policy will cover you for most of your expenses, likely everything above.
Buy a policy and you’re set, right?
Not so fast!
Read the fine print on your policy. I’m sure your cyber insurance coverage will be contingent that your business is following cybersecurity best practices. At minimum, your insurance company will likely expect you to follow this basic IT Security regimen:
Regular updates and patches—you will be hold responsible for keeping your network up-to-date. Applying security patches across your network is one of your first bets at keeping your business secure.
Train your users—users need to understand their contribution to keeping your network safe. Understanding how to recognize phishing scams, and taking actions to keep your network secure are critical to reducing your risk of a cyber infection.
Backup your network—in the event your network gets infected with ransomware or goes down for whatever reason, having backups will keep your staff working. As long as your team is down, you won’t get cash flow—what’s needed to keeping your lights on!
Monitor your traffic—your IT Support should be vigilantly (daily) monitoring your traffic for suspicious activity. They should investigate anything that is unusual and ensure your network is clean. Monitoring is a critical step in minimizing the effect of malicious activity that may get onto your network.
Test, test, test— I can’t emphasize testing enough. If you don’t test what you do, you can’t guarantee anything is working! Test your backups to make sure you can actually restore files from them. Test patches to confirm they are applied properly. Keep a routine of always testing changes to your network so that you can identify issues and understand a root cause quickly when they pop up.
If you’re not showing persistent effort in protecting your network, you might be at risk to not be covered under your policy (and will have to foot hefty bills!).
BUT, even if you think you are taking proper precautions, many cyber insurance policies require a hefty deductible (around $50,000) before they even kick in. While the insurance policy will prevent you from having to foot the brunt of the cost of a cyberattack (which average over a half a million bucks by latest counts), you will still have a big hole in your pocket after all is said and done if you end up getting a data breach or hack.
Here are a few things to consider before signing your insurance policy.
Get a IT Security risk assessment completed.
The first step to securing your network is to set up a risk assessment and impact analysis. You need to first understand your risks before understanding where your risks lie and what your insurance policy will require. In addition, a thorough security risk assessment will help you understand what kind of coverage you will need from your insurance provider.
Prove cyber event in the case you call on your insurance provider to cover you.
In the event of a cyber incident, you will need to know specifically what your insurance provider requires for you to make a claim. For instance, you may be required to perform a forensic investigation to determine how the breach occurred (in some cases, if you were negligent in patching or keeping your network updated, the policy may not cover you).
You can think of cyber insurance in a similar way to auto insurance. Auto insurance does not give you a green light to drive drunk, just as cyber insurance does not give you the ability to overlook cyber security. Your provider will require specific levels of security to cover a cyber incident (in the event one happens).
Cybersecurity assessments required before coverage begins.
In many cases, your insurance policy will require you to have a full annual cyber security assessment done. Typically an annual assessment will evaluate all potential risks and provide you with actionable remediation steps to securing your business.
The bottom line: Cybersecurity is no joke. Having cyber insurance may be helpful in recovering from a breach, but it is no silver bullet. Your first line of defense against growing attacks is solid IT Security.
Are you thinking about getting a cyber insurance policy, but aren’t sure your business security is keeping you safe. Contact us today about getting a FREE network assessment to identify vulnerabilities.
