With Cybersecurity threat variants starting to go out of control, especially threats of Ransomware, SMBs are scared for the simple reason that they could be financially ruined, and what has taken years to develop could be gone in literally just one day. However, one solution that is giving this market a lifeline is Cybersecurity Insurance.
Technically speaking, once you have filed a Cybersecurity insurance claim, you should expect a payout within a short period of time, much as with auto insurance. Unfortunately, it does not happen that way all the time.
The Cybersecurity insurance industry is a rather complex one, but for this article we will focus on some of the key areas that you, the SMB owner, need understand before you pick a policy. You also need to understand why Cybersecurity insurance is a proverbial “double edged sword”.
First- and Third-Party Cybersecurity Insurance Coverages
Here is what you need to know about first- and third- party Cybersecurity insurance coverage:
- Loss of Electronic Data: Your Cybersecurity Insurance Policy will cover this, without too many questions asked. Even if there has been any damage to your Personal Identifiable Information (PII) datasets regarding your customers and employees, this should be covered as well. This is why it is called “First Party Coverage”. But the main caveat here is that your datasets must have been impacted directly by a Cyberattack, such as a hack, Ransomware attack, Worms, Viruses, DDoS attacks, etc. A common question that SMB owners ask is whether Insider Attacks will be covered, and the answer is yes, they should be.
- Cyberextortion: In the case of Cyberextortion, the attackers go far beyond the traditional norm because they are now willing to expose your datasets or even dirty secrets about your company (assuming they can get access to this) to the public–unless you pay up. The best-known example of this is Ransomware. Apart from selling their gains on the Dark Web, the Cyberattacker is even willing to publicly defame you and your company if the ransom is not paid quickly with Bitcoin. This used to be considered a first-party coverage by insurance carriers, but it has become a gray area.
- Notification of breaches: After you have been impacted by a Cyberattack, regulations now require that you notify the affected parties within a short period of time. No matter what route you take to do this, it can be costly. The good news is that this is considered a first-party coverage, so it will be covered directly by insurance policy.
Third Party Coverages:
- Brand/Reputational Damage: Once you have been impacted by a Cyberattack but are on a path to a normal recovery, the next battle to be fought is how to gain your reputation back and regain any lost customers. It can take years to build a trusting relationship with a customer, and a Cyberattack can destroy that within hours. The good news here is that your Cybersecurity Insurance may perhaps reimburse you for what is technically known as “Reputational Damage”, but this is an area that is obviously much more difficult to quantify in actual dollar losses. If you can substantiate the number, you will most likely get a payout.
- Network Security: As we all know, your Network Infrastructure is the number one area in which the Cyberattacker will find their way in. But, in order for your insurance claim to be honored, you will need to demonstrate that your IT Security has been kept up-to-date with downloading and applying patches/upgrades in a timely fashion.
- Electronic Media: Social media has become a very powerful marketing tool for the SMB to showcase new developments, products and services. On the flipside, social media can also be used to your company’s detriment. For example, an angry customer (or even an employee) might post something negative. For example, if they post something negative on your Twitter feed about a competitor, there’s a good chance that you could face a lawsuit. Your insurance policy should help financially offset some of these costs, but once again, it comes down to the fact that this a Reputational Damage expense. If you backup your numbers, you should be able to get a payout of some sort. Keep in mind that this relates only to slander or defamation on a social media site that your company owns, and it does not cover anything that comes out in traditional print.
The Double-Edged Sword
Now that you have a better understanding of what will be covered directly (First-Party Coverages) and those that may take some effort on your part to prove (Third-Party Coverages), you probably feel a lot more secure knowing that you have a financial blanket covering you. Don’t fall into this fallacy of thinking. Just because you file a claim, it does not mean that you will automatically get it.
Probably the best example of this is Ransomware. In the past, insurance companies were more lenient in giving you a payout if you actually made a Bitcoin payment to the Cyberattacker. But not anymore. Because of the sheer rash of attacks that have occurred this year, many insurance companies are not giving payouts to companies that pay the ransom.
Also, given the huge uptick of data leakages, many insurance companies now mandate that you have proof that you are compliant with the tenets and provisions of the various laws such as the GDPR, CCPA, HIPAA, etc. You need to show the carrier that not only do you have the appropriate controls in place, but that you are testing them on a regular basis.
Also, having pieces of documentation like an Incident Response/Disaster Recovery/Business Continuity Plans may have been optional some time ago, it is not anymore. Most insurance companies are now requiring not only proof that you have in them in place, but also that you are rehearsing them on a regular basis and updating them with the lessons learned from each exercise.
Further, you must now also prove that you are taking all the steps you can to remediate any unknown gaps or vulnerabilities in your business. This means that you need to engage in some sort of Vulnerability Scanning or Penetration Testing activities and provide the documentation that you have actually done this and have filled in the holes.
Finally, you also need to show evidence that you are regularly conducting Security Awareness training programs with your employees. This will be needed in case you file a claim where employee negligence was involved, despite your best efforts to educate them.
The bottom line is that, at some point in time, you are going to have to take the proactive steps just described, either when you first apply for a Cybersecurity insurance policy or when you file a claim. So why not start now, and have those assurances that you will get that payout when you need it the most?
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.