While phishing, ransomware and other cyber tactics are on the rise, there is still a significant number of organizations that are left unprotected without a cybersecurity insurance policy. But do you really need cyber insurance? Below we discuss frequently asked questions we hear, including why it’s so important and what businesses need to know before starting a policy.
Is cybersecurity insurance worth it?
In the event of a cybersecurity hack or data breach, the incident response, depending on its complexity, can be very expensive. For example, a ransomware incident that captured 1,000 files containing personally identifiable information (PII) may require a breach coach, a cybersecurity expert to do forensic analysis, a cyber-focused attorney and a swarm of network engineers to bring systems back online, even for a small organization. Thousands of dollars can be spent in just a few hours, and that isn’t counting the possibility of ransom.
What if I set up a cyber insurance policy a few years ago, am I covered today?
Some businesses set up policies even just a few years ago for only $10,000 or $25,000, which just isn’t enough to cover the costs of a modern incident, except for maybe a very basic business email compromise. If you have an existing policy in place, now is the time to make sure it’s brought up to the amount of protection that most modern policies include to be prepared for the worst. These types of policies are easily in the high five to six figures, even for small organizations.
How much should I be insured for?
It depends. Every business should evaluate cyber insurance based on the data they are responsible for. What kind of employee and customer information are you harboring in your network? How much production is lost if systems are offline for extended periods of time? If there are significant amounts of PII harbored within the organization’s file server, then an insurance agent can help you calculate what to prepare for in the event of a breach.
How can my company get cyber insurance?
Traditional commercial general liability and property insurance policies typically exclude cyber risks from their terms, which lead to cybersecurity insurance being introduced as a standalone line of coverage. Today, most insurance companies offer cyber insurance policies. Contact your business’s insurance agent or broker to inquire about a cyber insurance policy.
What information will cyber insurance companies need to start a policy?
Most insurance companies are not going to automatically cover cybersecurity incidents, including ransomware, without making sure organizations are taking the proper steps to secure their technology. When establishing a cyber insurance policy, cyber insurance companies may ask you a series of questions about technical topics, but none as frequent as multifactor authentication on every entry virtual doorway to organizational resources. It’s important to be prepared and at least have basic cybersecurity safeguards in place to make your company insurable. Before establishing a policy, an insurance company will want to know that you have:
- Multi-factor authentication enabled AND enforced on your company mailboxes (yes, there is a difference)
- Multifactor authentication enabled for VPN access
- Multifactor authentication enabled for major network infrastructure as well, including servers, firewalls, backups or really any computer that has administrative access (as opposed to basic user access)
Too commonly, especially at smaller organizations, companies allow administrative access on company computers to employees, so they are not denied or even prompted when installing new software or updates that require privileged access.
What happens if we do not have the recommended cybersecurity safeguards in place?
If the cyber insurance company discovers that you don’t have strong safeguards in place to protect your business from a breach, they will classify the business as higher risk and premiums will cost more or they may deny a policy all together.
What if my company has cyber insurance, but we need to file a claim about a cybersecurity incident?
If your business needs to file a claim, your insurance company will ask questions to identify characteristics about the situation to determine what is necessary. Large insurance companies may already have approved lists of private cyber incident response teams to determine the best course of action. If you already have a cyber incident response team, your insurance company may recommend their own instead or they may have to vet yours to make sure they are adequately prepared to navigate an incident. A good incident response team will follow specific governances to make sure that the incident is contained and threats are eradicated, among many other steps to safeguard your organization.
Do you need help navigating cyber insurance and attestations from your insurance company? Anders Technology advisors and our affiliate company, Claris Advisors, are here to help. We can work with you to evaluate cyber insurance options and determine the best fit for your security needs and business goals. Contact an Anders advisor below to discuss your situation.All Insights