Cyber risk insurance is often not considered until it’s too late. Imagine you’ve discovered malicious software present on your network, like a ransomware attack on employee information or a backdoor breach through a third-party access point. Without cyber risk insurance, your organization is solely responsible for all of the resources and monetary needs to remediate your systems and respond to the attack.
Definitely not ideal for any organization dealing with growing attack surfaces and increasingly sophisticated recent hacking attempts.
Cyber risk insurance protects an organization from security & privacy events by covering the cost to recover from a data breach, virus, or other form of malicious cybersecurity activity. Besides aiding your organization in your own recovery, cyber insurance is also important to support and defend your organization from legal liability from those affected by the breach. This could potentially come from customers, employees, partners, third parties, and anyone connected to your network who is affected and potentially had their data exposed.
It’s important to match your expectations with reality when deciding on cyber insurance for your organization. Where are the risks most prominent on your network, and who could be impacted by a breach?
In short, every organization is vulnerable to a cyber incident, and even if the data you store on your network isn’t particularly desirable to hackers, it is likely that sensitive data may reside with your third party providers.
Like other insurance coverages, cyber risk insurance covers a common set of scenarios, but there are situations where an organization can still be exposed. Most insurers offer similar coverage options, however a few offer less-common ones. Here is a breakdown of what is covered, and not covered, with cyber risk insurance:
For many of the scenarios above, these can also be triggered by trusted third-party vendors whom you are sharing data with and/or rely on for critical business operations.
Beyond covering first and third-party costs associated with the above scenarios, cyber insurers also offer customers a vetted list of providers they can work with. These providers can be: pre-breach - like BitSight - to help organizations better understand their security posture and prepare themselves to be more resilient to a cyber event; post-breach providers like a legal firm who acts as a “breach coach” helping clients navigate through an event; forensic service providers, public relations companies, and more. You should try to align yourself with an insurer that has both a comprehensive set of coverages they provide and also a panel of expert vendors you can work with to prepare, prevent and protect yourself from a cyber event.
Like other types of insurance, cyber risk insurance often requires organizations to prove they are taking some sort of action to protect their network against threat actors. If an organization doesn’t protect their network at all, they might not be approved for insurance, or be charged a high rate, similar to how if someone has a riskier health behavior like smoking they might be given a higher health-insurance monthly cost.
BitSight Security Ratings are a great way to prove your cybersecurity protection efforts to a cyber risk insurance provider. Presenting an objective view of your network’s cybersecurity posture will give your potential insurance provider a trusted view into what your organization does to protect from threats, and will make securing a cyber risk insurance policy smoother.
There are countless real-world cyber incident examples where organizations have suffered financial, reputational, and operational losses due to a seemingly small vulnerability. Just look at the recent Microsoft Exchange Hafnium breach that affected thousands of organizations around the world.
Organizations trusting their sensitive email conversations and contact information stored in the Exchange servers were left scrambling to update their devices and patch their systems from a vulnerability that occurred on a seemingly cybersecurity-focused corporation like Microsoft.
You can’t ignore the possibility of a compromise to your network any longer. With large, well-funded, global organizations being targeted by malicious actors, it is less of a “if” a cyber incident will occur and more shifting to a “when”. Organizations rely on cloud management services to facilitate company operations and stay competitive in their industry. Preventing attacks to your network is now becoming just as vital to organization success, as well as not letting an attack completely drain your organization’s funds.
Even if you have a mature, established security management system, your network is subject to the performance of your vendors’ cybersecurity management practices as well. Gaining full visibility in the threats on your network, including your vendor risk landscape, will help prepare you for the level of cyber risk insurance you need. Accurate data on your vendor risks can also help you stay informed if your vendors are meeting their cybersecurity requirements potentially listed out in your contract, or in a recent audit.
BitSight Security Ratings provide an external view of the risks to your network, as well as third parties and partners with integrated systems. Utilizing security ratings to get a complete view of your network now can help reduce potential cyber risk insurance claims in the future.
It’s not hard to justify why you need property insurance when you’re surrounded by your physical goods that you don’t want to be lost or damaged in your home or business. So why isn’t cybersecurity the same?
The SolarWinds breach is already one of the most significant cybersecurity incidents ever. And as with any unprecedented cyber event, this will have long-term effects on the way businesses and government consider their security...
This post was originally published July 18, 2016 and has been updated for accuracy and comprehensiveness.