Hey folks. I wanted to take a break from our SMB series and talk about Cyber Security / Cyber Risk / Data Breach insurance.
This is a major topic of discussion when I meet with business owners. Insurance Companies are selling policies like they are going out of style and these types of policies are a major topic of discussion during annual insurance reviews. That’s great! But here is the bad part – most of the policies I’ve seen thus far are anything but comprehensive when it comes to mitigating cyber liability. While I haven’t seen every major policy out there of course, I can tell you that the ones I’ve read and been asked to review are very smartly worded to protect only a small portion of Cyber risk. What’s worse is Insurance providers seem to be passing off “one-size-fits-all” policies that really aren’t’ worth anything in my opinion.
Insurance companies are starting to sweat Cyber Liability risk in business. The Word Economic Forum (WEF) in their Global Risk Report 2018 detailed “many of the expected costs from 2017 came from Cyberattacks”. Lloyds of London CEO Inga Beale said on a panel during the January 2018 Asian Financial Forum that “Just like natural catastrophes, cyber events such as hacker attacks or internet failures can cause severe impact on business and economies. The financial impact of cybersecurity breaches is rising, and some of the largest costs in 2017 related to ransomware attacks, which accounted for 64% of all malicious emails.”
Here are some things that you should ask your provider before you consider pushing as policy.
Is the recommended policy the right fit for my business? A company who processes millions of dollars of ACH or EFT transactions would need a different level of protection than one who only does business with Credit Cards. A company who has custom software (internally written) would need much more protection than one who buys their applications off the self. If your provider recommends a policy that “is very popular” without understanding what types of transactions and systems you have in place, get a few other opinions, please.
Which side does my insurance protect? Most of the policies I’ve seen protect the “originator” of the transaction. For example, a wire is sent to you from a vendor. Using a spoofed email account, the wire never reaches your account. In this example, the sender would be covered, but the recipient not, even though the recipient was the one who had the breach. So, the sender would most likely be covered under their policy (if they have one) but you are out the money on your end and there’s little that can be done. Make sure your policy covers the transaction, not the side.
I haven’t seen it yet, but the trend for insurance providers to provide a discount to customers who have a written, tested and verified Cyber Security policy must be coming soon. I get a discount on my Homeowners if I have an alarm system (even though I don’t have to provide I use it) and my Insurance company should give me a discount if I do everything possible to protect my data. Again – I haven’t seen every offering, so this may be out there, but inquire with your insurance provider and if they don’t have this option, make sure they know – with frequency – that you aren’t happy about it. A business that goes above and beyond to do what they can to mitigate risk should be rewarded for that by a product that protects them if they don’t. A Next Generation firewall is a monitored alarm system in the home. With this simple expense, you immediately mitigate your risk. It’s time for Insurance companies to start recognizing these facts and encouraging business to implement them.
Make sure your policy protects the basics. Your policy should protect the basic, growing threats that every business faces today. Phishing attacks and ransomware attacks are just two, but two that should absolutely without a doubt be included. Data Loss protection should also be included, not just from a breach, but from faulty hardware, software or policies.
Does your Policy include Employee Loss, Theft or general Failure? Yes, some traditional business insurance policies protect from this, but does your policy cover the gap. An employee emailing a spreadsheet with financial information (bank accounts, PINs, etc.) is a breach and if that information falls into the wrong hands, you’re up the brown creek. What about leaving a laptop loaded with confidential information in a taxi while traveling? I haven’t seen any coverage regarding this yet, but plainly, it must be out there.
Understand the amounts. In the last year, almost all the policies I’ve seen cover up to $1M for the breaches they cover. At first it seemed like a lot, but the more businesses I meet, the more I realize it’s barely a drop in the bucket. If a cyber breach can close your business (which it most certainly can), how much do you need to make sure that doesn’t happen? If you are sending $3M ACH transactions each month, that doesn’t begin to cover it. Understand what the $1M policy covers. Does it include the response and remediation of the treat? It should. That cost alone can be in the 10s of thousands for a small business. Don’t just protect the money, protect the systems and the remediation of a threat.
As questions. A LOT of them. Use real life scenarios. Get the protect details of the policy in writing before you buy. No policy covers everything, but the best policies will cover what your business needs. Avoid the “send me a quote for cyber insurance” mentality. Ask your provider what options there are, what coverages can be customized.
The biggest question I get on a weekly basis is, “We have a pretty comprehensive Cyber Security and Risk policy, do we need insurance?”. Also put, “We spend a lot of money on IT solutions to protect our data, why do we need that AND insurance?”
Well, to answer my original question at the beginning of this post – you absolutely, 100% need Cyber Security / Liability insurance. With more than 9 billion malware attacks reported in 2017 (up from ~8B in 2016) do you really want to save a few hundred dollars to bet your IT guy is smarter than every hacker on the planet? Yes, mitigate your risk, yes, have a plan how your business should respond to a breach, but why not have something that protects you from the unknown? Get with your insurance provider today. If you don’t have one or don’t have one that will answer your questions that I asked above, email me and I’ll send you a guy who I can undoubtedly say provides the best protection for your business (at least from a Cyber Liability stance since that’s all I Know!).