Is Cyber Security Insurance A Double-Edged Sword?

With threat variants starting to become out of control, especially that of Ransomware, SMBs are scared for the simple reason that they can become financially ruined. What has taken years to develop could be gone in just one day.  There is one mechanism out there that is giving this market a lifeline, and that is Cyber security Insurance.  

Technically speaking, once you have filed a claim, within a short period of time you should expect a payout, much like auto insurance.  But in reality, it does not happen like this all of the time.  

This industry is a rather complex one, but for this article, we will focus on some of the key areas that you, the SMB owner, need to understand before you pick a policy.

Then, we will segway into why it is a proverbial “double-edged sword.”

1^st & 3^rd Party Cyber Security Insurance Coverages

Here is what you need to know in this aspect:

The 1^st Party Coverages

1. Loss of Electronic Data:

Your Cyber security Insurance Policy will cover this without too many questions being asked.  Even if there has been any damage to your Personal Identifiable Information (PII) datasets with regards to your customers and employees, this should be covered as well.  This is why it is called “First Party Coverage.”  But the main caveat here is that your datasets must have been impacted directly by a Cyberattack, such as a hack, Ransomware attack, Worms, Viruses, DDoS attacks, etc.  A common question that gets asked if Insider Attacks will be covered, and the answer is yes, they should be

2. Cyberextortion:

The attackers are going far beyond what the norm has traditionally been, because they are now willing to expose your datasets or even dirty secrets about your company (assuming they can get access to this) to the public unless you pay up.  The typical example of this is now Ransomware.  Apart from selling their gains on the Dark Web, the Cyberattacker is willing to defame you and your company if the ransom is not paid up quickly by Bitcoin.  This used to be deemed as a 1^st party coverage by the insurance carriers, but now it has become a gray area

3. Notification of Breaches:

After you have been impacted by a Cyberattack, regulations now require that you notify the affected parties within a short period of time.  No matter what route you take to do this, it can cost money, but this is deemed to be a 1^st party coverage so it will be covered directly by the insurance policy.

The 3^rd  Party Coverages

1. Brand/Reputational Damage:

Once you have been impacted by a Cyberattack and are working toward a normal recovery, the next battle to be fought is how to gain your reputation back and regain those lost customers.  It can take years to build a trusting relationship with a customer, and that can be destroyed within hours.  The good news here is that your Cybersecurity Insurance could perhaps reimburse you for what is technically known as “Reputational Damage,” but this is an area that is obviously much more difficult to quantify as to what the actual dollar losses amount to.  If you can substantiate the number, you are likely to get a payout.

2. Network Security:

As we all know, your Network Infrastructure is the number one area in which the Cyberattacker will find their way in.  But you have to make sure that your IT Security has been updated by downloading and applying patches/upgrades in a timely fashion.

3. Electronic Media:

Social Media has become a very powerful marketing tool for the SMB in which to showcase new developments and products/services.  But on the flipside, it can also be used to your company’s detriment. For example, you could have an angry customer that could post something negative, or even an employee could also do this.  For example, if they post something negative on your Twitter feed about a competitor, there are good chances that you could face a lawsuit.  Your policy should be able to help financially offset some of these costs, but once again it comes down to the fact that this a Reputational Damage cost.  If you backup your numbers, you should be able to get a payout of some sort.  But it is important to keep in mind that this relates only to slander or defamation on a Social Media site that your company owns, and it does not cover anything that comes out in traditional print.

The Double-Edged Sword

Now that you have a better understanding of what will be covered directly (1^st Party Coverages) and those that may take some effort to prove on your part (3^rd Party Coverages), you probably feel a lot more secure knowing that you have a financial blanket covering you.  But don’t fall into this fallacy of thinking.  Just because you file a claim, it does not mean that you will automatically get it.

Probably the best example of this is Ransomware.  In the past, insurance companies were more lenient in giving you a payout if you actually made the Bitcoin payment to the Cyberattacker.  But not anymore.  Because of the sheer rash of attacks that have occurred this year, many insurance companies are not giving payouts if you actually pay the ransom.  

Also, given the huge uptick of data leakages, many insurance companies are now mandating that you have proof that you are compliant with the tenets and provisions of the various laws such as the GDPR, CCPA, HIPAA, etc. You have to show the carrier that not only do you have the appropriate controls in place, but that you are testing them on a regular basis.

Also, having pieces of documentation like an Incident Response/Disaster Recovery/Business Continuity Plan may have been optional some time ago, but it is not anymore.  Most insurance companies are now requiring not only proof that you have in them in place, but also that you are rehearsing them on a regular basis and updating them with the lessons learned from each exercise.

Further, you also have to prove now that you are taking all of the steps you can to remediate any unknown gaps or vulnerabilities in your business.  This means that you need to engage in some sort of Vulnerability Scanning or Penetration Testing activities and provide the documentation that you have actually done this and filled in the holes.

Finally, you also have to show evidence that you are holding and conducting regular Security Awareness training programs with your employees.  This will be needed in case you file a claim where employee negligence was involved, despite your best efforts in educating them.

How Results Can Help Get Your Business Prepared for Cyber Insurance

The bottom line is that at some point in time you are going to have to take these proactive steps just described either when you first apply for a Cybersecurity Insurance Policy or when you file a claim.  So why not start now, and have those assurances that you will get that payout when you need it the most?

If you are needing assistance with implementing a cyber insurance plan, partnering with a trusted managed service provider like Results Technology can help lead you in the right direction. We understand that cybersecurity is a journey, not a destination and there are many components to your business IT and cybersecurity. Reach out to us today to schedule a call with one of our sales experts.