Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage.
Traditional commercial general liability and property insurance policies typically exclude cyber risks from their terms, leading to the emergence of cybersecurity insurance as a “stand alone” line of coverage. That coverage provides protection against a wide range of cyber incident losses that businesses may suffer directly or cause to others, including costs arising from data destruction and/or theft, extortion demands, hacking, denial of service attacks, crisis management activity related to data breaches, and legal claims for defamation, fraud, and privacy violations.[1]
As corporate data breaches continue to rise, many business owners feel the need to rethink their security practices and strategies for risk management. These breaches come with financial repercussions, a potential loss of customers and a negative reputation in the marketplace. Business owners are developing preventative measures and response plans that improve security practices and include cyber-security insurance to ensure their business’s recovery after such an attack.
Cyber-security insurance is a new type of coverage often referred to as cyber-liability or data-breach liability insurance, offered as a standalone coverage. It helps companies recover from data loss due to a security incursion, a network outage or service interruption. It is an important part of a businesses’s strategy for risk management and response. [2]
Any company that works with customer data online have a greater need for this type of insurance. There are two separate types of cyber risk insurance. First-party cyber liability coverage is the kind that non-IT firms most often need. When a business experiences a data breach or such, it files a claim on its first-party policy. The benefits it could collect include funds for
- Notifying clients that their information was compromised or exposed.
- Purchasing credit monitoring services for customers affected by the breach or hacking incident.
- Launching a public relations campaign to restore the reputation of the company affected by the breach.
- Compensating the business for income that it isn't able to earn while it deals with the fallout of the data breach (i.e., Business Interruption Insurance).
- Paying a cyber extortionist who holds data hostage or threatens an attack.
Third-party cyber risk insurance covers the people and b businesses “responsible” for the systems that allowed a data breach to occur. This covers the companies and independent contractors who were responsible for the safe storage of data.
Events that may trigger a company to file a claim with its third-party cyber risk insurance policy include
- Failure to anticipate or prevent the transmission of a virus to a third party. In other words, a security gap in your software let a virus onto your client's machine and it spread to all your client's email contacts.
- The misuse, disclosure, or theft of confidential information stored on a network. This is your classic data breach: one or more of the systems you set up allowed a hacker to access and/or expose your clients' customers' information.
- Infringement of the right to privacy. This could involve an event in which a system you built failed to keep confidential information properly secure.[3]
Cyber-security insurance can mitigate many of the costs associated with investigating and resolving a security incident and helps a business return to normal operations.
Based on the continued threats that occur with business data systems, both Homeland Security and insurance providers encourage businesses to develop practices that reinforce cyber resiliency. Agency AIG lists the following tips. [4]
• Inventory all systems in your environment, paying special attention to identify end of life systems. Migrate to more current and in-support versions as soon as practical, and make sure the risk is understood and additional compensating controls are employed until migration can take place. Do not rely on older, out-of-date products for the most critical applications and data access.
• Make patching systems in a regular and timely fashion a priority. The great majority of malicious programs (malware) leverage known vulnerabilities in operating systems or applications for which patches are available. Update software programs regularly. Not updating means these systems remain vulnerable.
• Externally scan the environment, paying special attention to services and open ports. Attackers do similar, looking for open ports to the internet. It is a poor security practice to have unnecessary open ports to the internet, and this process can identify running services that don’t serve a business purpose (a needless attack surface). Delete programs you are not using.
• Train employees how to identify phishing emails. Many ransomware attacks spread through phishing emails, many of which are engineered to lure victims to click on a link or open a file. Training employees to be vigilant is best practice to avoid a host of other cyber attacks as well.
• Follow the principle of least privilege: don’t give employees or service accounts entitlements they don’t need. In particular, limit “local administrative privileges” to those employees who only truly need it.
• Practice good password hygiene. Don’t use the same password for multiple administration or service accounts and make sure passwords are complex and reasonably lengthy. A strong password includes: eight characters minimum, at least one number, letter and one capital letter, and at least one punctuation character. Note capital shifting numbers will give additional characters.
• Update antivirus on endpoints and servers and set them to automatically conduct regular scans. This protects the infrastructure if the signature of the attack is known.
• Properly segment the network. Identify the most critical assets and data and separate them with network segmentation and strict access control. Each security boundary between segments represents a hurdle for attackers and opportunity for organizations to mitigate an attack.
• Ensure critical systems and files have up-todate backups. This provides the best protection against data loss due to ransomeware. Backups should be protected and tested for restore capability.
• Have an Incident Response Plan and Process that is up-to-date and tested in place. The severity of many incidents is needlessly increased because of a lack of a timely and appropriate response.
• Disable unnecessary remote administration features.
• Use secure protocols where possible, like https and SSH for device communications.
Dave Reed Insurance has insurance providers that can help your business minimize the damage of a cyber attack. Call our offices at 2170 Creighton Road (850)-494-2264 or 1091 N. Navy Blvd. (850) 453-8555 for assistance.
References
- https://www.dhs.gov/cisa/cybersecurity-insurance
- http://www.datacenterjournal.com/ten-things-need-know-cybersecurity-insurance/
- https://www.techinsurance.com/blog/cyber-liability/third-party-vs-first-party-cyber-risk-insurance/
- https://www.aig.com/content/dam/aig/america-canada/us/documents/business/cyber/cyber-resiliency-tips.pdfP
Photo Credit: https://www.flickr.com/photos/pictures-of-money/