In an era where businesses rely heavily on technology and digital operations, the threat of cyber attacks is something that businesses can no longer ignore. Protecting your business from potential losses resulting from a cyber event is not just a matter of caution—it's a necessity.
Today, we'll delve into crucial aspects of cyber insurance, covering topics such as cyber security, ransomware attacks, and the various coverages provided by cyber insurance policies. This blog was written as a summary of a webinar we recently held outlining cyber insurance coverage with guest speakers, Cohen Barnes, President of SundogIT, Alexandra Bertschneider CCIC, VP of Johnson Kendall & Johnson, and Spencer Pollock CIPP/US, CIPM, Member of McDonald Hopkins.
If you like to skip around, here are links to the major sections discussed in this blog:
- The Rising Threat of Cyber Attacks
- The Costs Associated After a Cyber Attack
- Cyber Insurance Essentials
- Assessing Cyber Insurance Costs
- Cyber Insurance Application
- FAQs
Understanding the Cyber Threat Landscape
Part 1: The Rising Threat of Cyber Attacks
As technology advances, so do the methods employed by cybercriminals. Threat actors target personal information, ranging from financial data to social security numbers, exploiting vulnerabilities in computer systems. Cybersecurity is no longer a luxury but a fundamental component of safeguarding your business.
And while having the right technology in place to provide layers of protection is vital, Spencer made the point that "People often focus on the technology side, but the human element is equally important."
Cohen set the stage with this real anecdote that he and his team experienced very recently:
So imagine you've got an email account and you've got two-factor authentication on it. And this email account actually got compromised.
Now you could say, how could anyone compromise email because they don't or compromise two-factor authentication because they don't have my phone? We're not going to get into that here, but there's a thing called 2FA fatigue and man in the middle.
The threat actor got in there, looked through all the emails, all the sent items, all that. And then imagine that hacker realizes, hey, they have a big project going on right now.
So the hacker started realizing progress payments coming up. They emailed the client "Hey, for progress payments going forward, we've actually changed banks recently."
So the client's guard dropped. "Oh, it's just a status update on where I need to wire the money."
And the client paid $118,000 to the hacker...
If they can't get money out of you, they're going to look to your client base and figure out how they can actually get money out of them.
This is what we're seeing on a regular basis, which is exactly why Alex's industry is there, which is exactly why Spencer is here. The roles that they perform post incident are an absolute reality.
Part 2: The Costs Associated After a Cyber Attack
In the aftermath of a business email compromise, the webinar highlighted the substantial costs that aren't usually considered:
- Lost Payment: The primary repercussion is the lost payment, as the compromised business still owes the legitimate recipient of the project funds that were never received.
-
Investigation Costs: Confirmation of email compromise triggers the need for a thorough investigation, involving legal oversight from professionals like Spencer and engaging a forensics firm. Alex stressed the necessity of "stopping the bleeding" and assessing the scope of compromised accounts.
-
Data Analytics and Notification Obligations: Once the investigation identifies affected individuals, a data analytics firm comes into play to scrutinize the content of compromised emails. This step is crucial for determining the presence of sensitive information, such as personally identifiable information or proprietary data. Subsequently, the business must navigate the complex web of notification obligations, complying with various laws and contractual agreements. Alex highlighted the intricate details, saying, "Unfortunately, the devil's very much in the details... you might have agreed to notify somebody within 24 hours if you've had a cyber incident, and you need to comply with that."
These multifaceted repercussions underscore the importance of businesses being prepared for the intricate aftermath of email compromises.
Exploring Cyber Insurance Coverages
Part 3: Cyber Insurance Essentials
Navigating the Insurance Landscape: General Liability vs. Comprehensive Cyber Liability
In the ever-evolving landscape of business risks, insurance plays a crucial role in safeguarding companies from unforeseen challenges. While most businesses are familiar with general liability insurance, there's a growing need to understand the nuances of comprehensive cyber liability insurance in the face of increasing digital threats.
General Liability - The Traditional Shield
General liability insurance has long been the go-to safety net for businesses, offering protection against bodily injury, property damage, and personal injury claims. This insurance is designed to cover physical incidents that may occur on business premises or as a result of the company's operations.
However, as technology continues to intertwine with everyday business activities, the limitations of general liability insurance become apparent. Traditional policies may not adequately address the sophisticated digital risks that modern businesses face, leaving a significant gap in coverage.
Cyber Liability - Bridging the Digital Gap
The rise of cyber threats, ranging from data breaches to ransomware attacks, necessitates a more specialized form of insurance – cyber liability coverage. Unlike general liability, cyber liability insurance is tailored to address the unique challenges posed by the digital realm.
Understanding Cyber Liability Components
- First-Party Coverages: Comprehensive cyber liability insurance offers coverage for first-party expenses incurred by the policyholder. This includes costs related to data breaches, such as forensic investigations, data restoration, and legal notifications.
- Business Interruption: In the event of a cyber incident, businesses may face disruptions in their operations. Cyber liability insurance can provide coverage for income loss during downtime and additional expenses required to get back on track.
- Third-Party Coverages: Beyond first-party expenses, cyber liability insurance extends to cover liability claims from third parties. This includes legal costs arising from customer lawsuits, regulatory fines, and settlements due to data breaches or privacy violations.
Bridging the Gap with Both Coverages
While general liability insurance remains a fundamental component of risk management, it's increasingly essential for businesses to complement it with comprehensive cyber liability coverage. The integration of both types of insurance ensures a more holistic approach to risk mitigation.
Part 4: Assessing Cyber Insurance Costs
The cost of cyber insurance depends on multiple factors, including the size of your business, the industry, and the level of coverage needed. This is by no means an exhaustive list, just a highlight of the points mentioned in the webinar:
- Risk Assessment: Insurers evaluate an organization's cybersecurity posture, including measures like multi-factor authentication, robust backup systems, and employee training. Businesses with more advanced security measures may benefit from lower premiums.
- Industry and Business Size: The nature of your industry and the size of your business play a significant role in determining cyber insurance costs. Highly regulated industries or larger enterprises may face different risks and, consequently, different premium structures.
- Claims History: A company's claims history, if any, directly impacts its insurability and premium rates. Businesses with a history of cyber incidents may face higher costs, emphasizing the importance of proactive cybersecurity measures.
- Incident Response Planning: Having a robust incident response plan in place demonstrates a commitment to managing cyber risks. Insurers may reward organizations with lower premiums for their preparedness.
Part 5: Cyber Insurance Application
Understanding the nuances of cybersecurity insurance applications is crucial for organizations seeking coverage. The experts highlighted the importance of accuracy in these applications. While occasional human errors are understandable, consistently misrepresenting security measures could be deemed a material misstatement, potentially leading to claim denials.
-
Accuracy is Paramount: Inaccuracies in cybersecurity insurance applications, especially material misstatements, can lead to claim denials.
-
Over-articulation is Key: Organizations are advised to provide detailed supplementary information, and over-articulating responses to ensure clarity in applications.
-
Future Plans Matter: Sharing future cybersecurity plans can instill confidence in underwriters and potentially lead to more favorable terms.
FAQs
Common Cyber Insurance Questions Answered
What is cybersecurity insurance?
Cybersecurity insurance is a policy that provides coverage for various financial losses incurred due to cybersecurity incidents, including data breaches, ransomware attacks, and other cyber threats.
What are the key components of a cybersecurity insurance policy?
Key components include coverage for first-party expenses (e.g., data breach response, business interruption) and third-party liabilities (e.g., legal expenses, notification costs). It may also cover regulatory fines and penalties.
How does cybersecurity insurance play a role in incident response?
Cybersecurity insurance helps fund and facilitate incident response efforts by connecting policyholders with the right experts, covering expenses, and providing support during and after a cyber incident.
Why is business email compromise a significant concern?
Business email compromise is a major concern because sensitive information is often exchanged over email, and compromised emails can lead to various risks, including class action lawsuits and legal consequences.
Why are cybersecurity insurance questionnaires necessary?
Insurers use questionnaires to assess an organization's cybersecurity posture, and it's crucial for policyholders to accurately disclose information. Overstating or understating security measures can impact coverage.
Can an organization be denied coverage based on the information provided in the questionnaire?
Yes, misstatements or inaccuracies in the questionnaire, especially if considered material, can be used by insurers to deny coverage.
How can organizations improve their chances of getting coverage and better rates?
Organizations can be proactive in cybersecurity measures, including implementing multi-factor authentication, having secure backup strategies, and over-articulating and clarifying information in the questionnaire.
How does a bad actor get into an organization's email without a password?
Bad actors often exploit reused passwords obtained from breaches. Phishing is a common method where employees unknowingly provide login information, emphasizing the importance of employee education.
Are sub-companies covered by their parent companies?
Generally, most cyber insurance policies are written to incorporate subsidiaries that are majority-owned (50% or more) by the parent company. However, it's essential to understand the ownership structure and ensure that the subsidiary is specifically named on the policy. Additionally, potential conflicts should be considered.
What is RDP?
RDP stands for Remote Desktop Protocol. It refers to remote access to a network, allowing individuals to connect to and control a computer or network remotely. Security measures, such as multi-factor authentication, should be implemented to secure RDP access.
Conclusion: A Collaborative Approach to Cybersecurity
These insights underscore the need for a collaborative and comprehensive approach to cybersecurity. Organizations must diligently fill out insurance applications, ensuring accuracy and transparency. Seeking legal counsel and involving cybersecurity professionals can aid in navigating the intricacies of these applications. Moreover, organizations should not solely rely on a parent company's policy for subsidiaries' coverage but consider obtaining separate policies to address potential gaps.
In the ever-evolving landscape of cybersecurity threats, staying informed and proactive is paramount. Webinars like these provide an invaluable platform for industry leaders to share expertise, helping organizations strengthen their cyber defenses and navigate the complex realm of cybersecurity insurance.
About PTG
Palmetto Technology Group (PTG) is an award-winning IT support and managed service provider headquartered in Greenville, South Carolina. We believe in delivering phenomenal IT experiences by people you’ll love. As a trusted partner, our goal is to help business owners lower their risk, secure their data, and promote productive employees.
