Cyber Insurance: Does Your Organization Need It?
A cyber attack is not just inconvenient and expensive, it can be an existential threat to an organization.
For companies that sell products through e-commerce or maintain electronic data on their customers, a systems breach involving this information can cripple or ruin a business. It is no longer a question of “if” any given company or organization is going to be hit with a cyber-attack — it is when.
And when that attack comes, who is willing to take on that risk?
Every company—large, small, in healthcare, technology, manufacturing, and more—is subject to cyber risks. Almost every day now, we learn about yet another cybersecurity incident. Be it ransomware, phishing emails, any other malware, or even employee negligence, companies are finding themselves the target of a cyber attack all too often.
And for many leaders at these companies, a cyber insurance policy appears to hold a lot of value.
For some organizations, it may be that they feel they are fully prepared to take on the challenge of defending against an attack or potentially recover from one. But cyber insurance offers the ability to transfer that risk to an insurance company that can help with everything from covering lost revenue to providing incident response as soon as an attack is detected.
Insurance coverage for cyber risks is relatively new and continually evolving. However, the threats to organizations and the possibility of legal action against them is a reality that business owners should consider.
We live in a time when many organizations do most (if not all) of their business electronically, and the majority of their assets are in the data they collect. There have been several high-profile personal information breaches that have compromised tens of millions of records and cost the affected companies millions of dollars.
A good example is the Equifax data breach that impacted millions of people and was a hot topic back in 2017.
Cyber criminals are constantly devising new techniques to attack organizations. Here are a few of the most common methods:
- Denial of service attack: The hacker floods a website with more traffic than it was built to handle, making it impossible for legitimate visitors to access the site.
- Phishing: An attacker pretends to represent a trusted person or an organization to trick a user into taking an action (such as opening a malicious attachment or clicking on a bogus link) that he or she would normally not take.
- Malware: Harmful software takes control of a machine, monitors user actions and keystrokes, and/or sends confidential data from the infected computer or network to the attacker’s home base.
- Ransomware: This type of malware encrypts files to prevent users from accessing them and then demands payment for their safe recovery. These attacks can occur after clicking on a phishing link or visiting a compromised website.
- Spoofing: A cyber criminal impersonates another user or device to attack network hosts, steal information, spread malware or bypass access controls.
- Brute force: The attacker attempts to decode encrypted data by trying as many password combinations as possible, as quickly as possible.
Of course, it is equally as important to keep physical security threats in mind.
Does Your Organization Need Cyber Insurance?
With the ever-evolving threats in the digital landscape, the following question comes up: does an organization need cyber insurance?
As always, the answer is: it depends.
From one hand, numerous cybersecurity products and services are continually introduced to the market and are ready to tackle the increasing cyber threats. For example, Managed Detection and Response helps organizations to understand their security environments as well as enhance threat detection and response capabilities.
From another hand, an IT department and/or an IT services provider would typically take the lead in protecting the organization’s data and systems. Cyber security is one of the reasons why businesses should consider an IT services provider.
However, as the number of applications, devices, users, etc. increases, an organization becomes more vulnerable to attacks. Just like businesses insure against business problems, natural disasters, and physical risks, they may need insurance coverage for cyber risks as well. If a costly breach occurs, a company may not have the resources on hand to combat these issues or recuperate losses.
Cybersecurity insurance can provide support, so these attacks do not cripple a business.
Typical Cyber Insurance Coverage
What can cyber insurance cover? Most cyber insurance plans cover a broad range of cyber risk losses that may unexpectedly arise from cyberattacks. In addition, some plans can offer coverage for physical damage to hardware or coverage for business income loss.
Plans can be personalized depending on your current business security posture, see the list below*.
- Regulatory defense expenses: Civil fines incurred in responding to a regulatory proceeding resulting from a privacy or network security breach
- Legal and civil damages: The cost of legal representation and possible damages related to a privacy or network security breach
- Security breach remediation and notification expenses: The costs to notify affected parties and manage a privacy incident
- Crisis management expenses: Public relations expenses to manage the damage to your organization’s reputation
- Forensic investigations expenses: The costs of hiring a breach response firm
- Computer program and electronic data restoration expenses: Expenses to restore or recover damaged or corrupted data caused by a breach, denial-of-service attack or ransomware
- E-commerce extortion and reward payments coverage: Pays for the cost of a professional negotiator and potential ransom payments to the person or organization extorting you or your organization
- Business interruption and additional expenses: Income your business loses and the costs it incurs due to an interruption in services
Some may wonder if cybersecurity defense can solely be replaced by cyber insurance. Believe it or not, the answer is NO.
Cyber insurance can be a great way to mitigate the damage caused by a breach, but it should complement cybersecurity technology as part of an overall cyber risk management plan (which must be established and maintained with an input from multiple stakeholders). At the end of the day, insurance coverage is a finite resource.
Insurance providers will analyze the strength of a company’s cybersecurity posture before issuing any policy. Strong security postures allow for better coverage and, in some cases, access to enhancement coverages. Fragmented enterprise security approaches can make it difficult for insurers to fully understand an organization’s security posture. This can result in inadequate or poorly targeted insurance purchases by insured companies.
If a business has not invested in the appropriate cybersecurity solutions and controls, then it may not qualify for cyber insurance at all, or it could be limited and expensive. Now may be a great time to assess the organization’s current cybersecurity measures and look into the option of cyber insurance to mitigate and recover from any potential attacks.
Before speaking to the preferred insurance provider, it may not be a bad idea to consider these six questions* when looking for or purchasing a cyber insurance plan:
- How many records containing personal information does your organization retain or have access to?
- How many records containing sensitive commercial information does your organization retain or have access to?
- What security controls can you put in place to reduce risk of having your system compromised?
- Do all portable media and computing devices need to be encrypted?
- What about unencrypted media in the care, custody or control of your third-party service providers?
- Could you make a claim if you were unable to detect an intrusion until several months or years had passed?
At the end of the day, cyberattacks can evade even the best security tools. They can get by firewalls, threat management solutions, and intrusion prevention systems. Cyber insurance can be as important to an organization as having the right tools, people and controls in place to combat cyber threats.
The key is to have a balanced approach to cyber risks.
At Genieall, we help our clients to focus on their business by granting IT wishes. This can range from cyber risk assessments to information systems audits to assistance with addressing cybersecurity gaps to name a few.
*Credit to Insurance Bureau of Canada
Incorporated in 2012, Genieall Corporation is a privately-owned Canadian IT Services and Consulting company. Being an ISO 27001 certified organization, Genieall provides managed and IT consulting services to companies in the Energy, Manufacturing, Construction, Health Care, and Finance verticals.
Genieall understands that IT infrastructure is fundamental to your business. For that reason, Genieall typically establishes trust with our clients by demonstrating our capabilities.
This is usually accomplished through a small engagement, urgent support requirement or consultation.
From there, our customers look to expand the support service to include both project and operational support using our Rightsourcing Model. (using the right balance of internal and external resources)
Throughout the process, Genieall’s culture of transparency, Customer-First approach along with our service model help us to establish and maintain trust.
Stay in Touch
Email: [email protected]
Phone: (866) 214-7863