- July 16, 2021
As small and midsized businesses (SMBs) leverage technology to meet business goals, threat actors have improved their attack methodologies for more significant impact. Thus, cybersecurity risks have become the most critical business risk in today’s business landscape. Fortunately, insurers have been planning for future cyber-risks; popular cyber-insurance plans today cover two of the most pressing concerns (operational and cybersecurity risks) for SMB stakeholders.
Cybersecurity insurance is a type of insurance designed to protect organizations from the potentially disastrous impacts of cybercrime such as malware, ransomware, distributed denial-of-service (DDoS) attacks, or any other technique of compromising sensitive data or networks.
Unfortunately, when it comes to cyber-security and insurance, SMBs have expressed fear about losing twice — as a victim of both a cyber-breach and a denial of a cyber-insurance claim. Firstly, they become victims of a security breach that causes significant damage, and secondly, they realize their insurance policy will not cover them.
How do security best practices and baseline controls impact cybersecurity insurance claims?
Organizations are often encouraged to fill out extensive questionnaires about their policies and controls before their insurance is being approved. In addition, a lot of cyber-insurance policies also stipulate baseline controls that must be met. For example, an annual IT infrastructure assessment may be required as part of an organizational policy, or the organization may provide a documented cyber-risk analysis of controls and firewalls. If the organization does not adhere to the stipulated baseline controls, its claims may be denied.
Cybersecurity insurance is often purchased by small to midsize businesses (SMB) without verifying the exact controls they lack or do not understand. If they cannot prove that these controls are in place when a claim is made, they may get denied. Recently, a similar incident occurred at BitPay, where the Massachusetts Bay insurance company dismissed its cybersecurity insurance claim of $1.8 million. However, Massachusetts Bay had provided BitPay with a Cybersecurity policy before the cyberattack. Still, Bitpay’s $1.8 million insurance claim was denied because the reported losses did not occur as a direct result of the cyberattack.
Following several cyber investigations, security experts revealed that a BitPay partner was hacked because he failed to have basic email security controls on his computer. Hence, the attacker could gain access to BitPay’s crown jewels due to the company’s poor security posture and security negligence.
In many cases, cyber insurance companies do not pay a claim if a preventable incident occurs. For example, the policies would deny a claim if proper cyber-security measures are not in place at the time of an occurrence, such as auto insurance policies that would not cover a stolen car if the doors are left unlocked.
How to ensure that your cyber insurance claim is approved
Insurance providers will typically conduct a basic cyber-security audit of a potential customer upon underwriting a policy. Hence, businesses need also to carry out their security audits before the insurer does.
While conducting a comprehensive cyber-risk assessment, an organization must fulfill the following checks:
- Ensure that antivirus systems and perimeter firewalls are in place.
- Ensure that the organization has a robust security patching lifecycle for all the software tools in use.
- Be sure that an effective user management process is in place, especially for access control management.
- Ensure that physical security measures are in place and that they comply with industry regulations.
- Make sure that the mobile devices that interact with sensitive or regulated data are encrypted.
Additionally, businesses should develop a digital security policy, provide basic cybersecurity training to staff, and regularly examine and resolve all security monitoring warnings. Finally, it is crucial to consider the possible cyber-risks that your company is prone, and mitigate them when considering cybersecurity insurance.
Even significant firms with dedicated IT security departments are vulnerable to data breaches. Below are some steps you can take to minimize cyber risks:
- Cybersecurity Risk Assessment – Understanding your business processes as well as your systems and data will help in securing your information. In addition, it is essential to recognize the cyber-risks that your business faces so that you can prevent them or quickly recover from cyber-attacks.
- Regular Security Awareness Training – The hacking techniques keep changing; therefore, employees must stay on top of the latest threats.
- Data Encryption – Data is scrambled on a hard drive so that only a key can decrypt it. It’s not the same as having a password. Generally, this is the preferred method over password protection.
- Access Control Management – Proper access control management ensures that only authorized users are allowed to use corporate devices on-premise and remotely. Therefore, implementing an automated access control management framework helps to increase the resiliency of your security posture.
- Updating your Knowledge of Cybersecurity Laws and Regulations – If there are any changes in the law, you should be aware so that your insurance does not lapse without your knowledge.
Cybersecurity insurance policies include a commitment to maintaining appropriate security measures designed to eliminate the possibility of a cyber-incident. The coverage may be denied if these security measures are not supported. The detection and prevention of security incidents often begin with proactive network monitoring operations. In addition, up-to-date security controls are critical components before applying for a cybersecurity insurance claim.
Finally, the aggressive development of cybersecurity programs will strengthen a company’s defenses and make the company a good candidate for cybersecurity insurance, rather than just trying to meet a standard.