Many organizations have taken the leap into the cyber insurance market over the last few years. Not only for peace of mind but also because the industries they are in expect it.
But, most organizations are consistently failing to appropriately measure their overall cyber risk and what they must do in order to maintain compliance with the policy terms.
Beyond that, the process for acquiring cyber insurance is far from straightforward. Carriers are now conducting deep-dive assessments into your security posture to help determine the risk they are taking by providing a policy. What carriers find during these assessments can determine the policy terms and conditions, as well as your pricing.
At the same time, as threats continue to advance in severity, carriers are continuously changing policy terms and adding exclusions to remove ambiguity on coverage.
Understanding Your Risk
Your organization must consider the value proposition of cyber insurance and what amount of coverage makes sense for you.
In order to make the best decision, you need to take a step back and truly think about the enterprise-level impact of a major cyberattack. It’s important to consider operational losses, while also looking at:
- The costs of recovery
- Potential long-term litigation
- Customer notification/protection (credit monitoring)
- The true loss due to reputational harm
To learn more about the cost factors of a cyber breach, please refer to our recent blog, Cyberattacks – The True Costs.
You must also understand the type of cyber insurance policy your organization is acquiring. You can choose to purchase policies that are categorized as first-party and/or third-party.
First-party insurance usually covers things like the cost of forensic investigation, fines/penalties because of lost data, financial loss, technology damage, and the cost of notifying affected customers.
Third-party coverage deals with affected parties outside the insured organization. This coverage includes things like legal expenses, damages, settlements, and claims by customers/individuals affected by an attack.
Policy Compliance Challenges
Cyber insurance isn’t a get-it-and-forget-it proposition. Stakeholders at your organization must understand their coverage and continue to be proactive in maintaining a strong cyber security program.
In fact, if your organization does experience a breach, you can expect your carrier to conduct due diligence that validates that you maintained proper cyber security hygiene. This could involve the review of multiple aspects of your program and your actions taken in response to the incident.
Key failures that could lead to partial or complete denial of your claim would include:
- Vulnerability Management – Failure to patch known published vulnerabilities within your network
- Privileged User Accounts – Failure to appropriately manage and secure privileged accounts (ie. lack of Multifactor Authentication)
- IR Retainers – Failure to maintain agreed to incident response retainers with carrier approved vendors
- Incident Response Plans – Failure to create and/or maintain your organization’s cyber incident response plan
- Incident Notification – Failure to notify the carrier in a timely fashion or improperly notify the carrier
There is no guarantee that an attack can be prevented, even with a strong cyber security program. The best organizations have implemented a proactive cybersecurity program that delivers risk-based controls that mitigate the likelihood and the impacts of an attack. To do this effectively, it is imperative that the cybersecurity program has the support and full engagement of executive leadership.
How We Can Help
At White Tuque, we believe the first step to protecting your assets is understanding your business and the associated risks. Using an advanced and risk-based approach that adapts to the evolving threat and regulatory landscape, White Tuque can become your trusted cybersecurity and resiliency partner.
To learn more about our services, please reach out to us to schedule a free initial consultation.