Cyber Insurance… You pay for coverage, but are you really covered?
The article below was written by Island Edge Business News Contributor Joseph Horowitz, a cybersecurity expert with Stetson Cybergroup. Check out his profile on LinkedIn.
Thanks to cybersecurity liability insurance (“cyberinsurance”), more organizations today have increased their defenses against cyberattacks. Many organizations have also adopted the philosophy that cyberinsurance is all they need to protect themselves from a cyber-attack. BUT is cyber insurance the silver bullet, a simple and seemingly magical solution to a complicated problem, everyone expects to protect their organization and all they have worked hard to build? Let’s explore…
The first recorded cyberinsurance policy was sold in 2001 designed to protect businesses from the financial consequences of a cyber-attack. Cyberinsurance is a specialized coverage that helps cover costs such as legal fees, data recovery, and public relations efforts to manage the fallout from cyber-attacks and data breaches. Whatever the reason, I applaud the insurance industry for introducing cyberinsurance. This business strategy, on behalf of the insurance industry, brought greater awareness to cyber threats facing organizations and forced them to take steps to protect their, and/or their client’s, data, information, and finances.
In the world of cybersecurity, the best practice is to do as much as possible to PREVENT a successful cyber-attack. In my nearly 30 years as an audit, risk, and compliance professional, the National Institute of Standards & Technology Cybersecurity Framework’s (“NIST CSF”) control categories accurately depict how an organization of any size should approach a successful program. They categorize controls by GOVERN (The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored), IDENTIFY (The organization’s current cybersecurity risks are understood), PROTECT (Safeguards to manage the organization’s cybersecurity risks are used), DETECT (Possible cybersecurity attacks and compromises are found and analyzed), RESPOND (Actions regarding a detected cybersecurity incident are taken), and RECOVER (Assets and operations affected by a cybersecurity incident are restored). Cyberinsurance would be considered as part of the RECOVER phase. While GOVERN, IDENTIFY, PROTECT, and DETECT are designed to PREVENT a cyber-attack from being successful, RESPOND and RECOVER are designed to provide the steps necessary in the event a successful cyber-attack was to occur.
For anyone who has cyberinsurance it is usually mandatory to complete a questionnaire, usually of Yes, No, and N/A answer options, prior to obtaining cyberinsurance. From what we have seen, these questionnaires range from one to 20 pages of questions about the security measures in place. The glaring inconsistencies on the amount of security questioned and/or required from insurance company to insurance company is alarming. Organizations will sometimes base their insurance carrier decision on not having to answer too many questions about their data privacy and protection controls and the lowest premium possible. This is often due to either the person completing the forms not understanding how to answer the questions or blindly replying Yes to everything to obtain the coverage at the lowest rate as most insurance companies will not ask for supporting evidence.
Unfortunately, many of these questionnaires are too broad to cover the entire organization. While they ask if you have Multi-Factor Authentication (“MFA”) enabled, it doesn’t require any thought around whether MFA has been enabled on all applications and systems including, but not limited to, third-party web/online applications. So, when a breach does occur on one of those applications that does not have MFA enabled, all those premiums paid are wasted as it presents as a false representation of responses on the cyberinsurance questionnaire, and then the insured does not meet the requirements to receive financial restitution for recovery services. Same goes if even one computer on the network does not have the latest anti-virus installed or if the firewall was not configured properly to provide maximum protection from external threats. For many small and mid-sized organizations, as well as non-profits, schools, or government agencies, it can negatively affect the bottom line, and ruin reputation with their clients, as most recovery costs can be quite expensive.
I would still recommend all organizations maintain a cyberinsurance liability policy in the event of a successful breach. When completing the questionnaire, ensure a collaborative approach and that all answers are truthful and honest. However, organizations should consider taking a PROACTIVE approach to preventing a successful cyberattack to reduce any financial or reputational risk to the organization. A well-balanced cybersecurity program begins with a risk assessment / gap analysis to identify all the risks that could negatively impact the organization and includes organization-specific recommendations to reduce the risks…and that also includes the risk of NOT being reimbursed from the insurance policy despite high premiums.
