Along with the ever so famous two guarantees of life known as death and taxes, there are certain other things that we simply cannot live without. Now, I realize that this is a very open ended to give to you, but purposes of this blog, I am talking about being business owner.
Depending upon the industry you are in, you will most likely have employees, whether they be it on a part time, full time, or even a contractor basis.
There are certain benefits that you will want to offer to them, and if you can afford it, probably medical insurance would be at the of the list, whether it is giving it to them directly or helping them get it at Obamacare. You will possibly have a small fleet of vehicles, and of course, that will take car insurance. For the most part, getting these kinds of insurances should not be too much a hassle.
But don’t forget, you are going to need yet another kind of insurance policy – and that is for Cybersecurity. Before the COVID-19 pandemic hit the United States, getting a basic policy was not too hard to do.
All you pretty much had to do was apply to a few carriers that you felt comfortable with, sign the paperwork, and pay the first month’s premiums. Then you were all set.
But given the sheer range of new attack vectors that have from that, most notably of Ransomware, insurance carriers have now greatly ratcheted up the requirements to get a policy. For example, simply self-attesting to the fact that you have all of the controls in place is not enough anymore.
You now have to fill out a rather long and detailed questionnaire confirming that all needed controls are in place, and in fact, many of the carriers are now requiring that an MSP or an MSSP sign off on it to confirm that the statements are true.
If it is discovered they are not, you both could be under some serious legal trouble, especially when it comes to perjury. But not only this, now many of the insurance companies are also opting not to pay claims when it comes to Ransomware payments. For example, a company out of desperation may pay the fine, in the hopes of getting their files back.
The next thing that the business owner will want to do is file a claim to get the money back. But most likely, that will not happen now. But now, the insurance carriers have found possibly yet another way to keep the small business owner hanging out to dry.
It now comes down to literally what an act of war is defined as. Because of all of the turmoil that is now happening on a geopolitical basis, if an SMB becomes a victim because of a direct act of war, any claims filed will not be paid.
This is technically known as an “Act of War Exclusion”. It is really interesting to note that this kind of exclusion actually has been in place since the start of the Spanish Civil War. But of course back then, Cybersecurity was a totally unthinkable topic.
So long story short, suppose you have been impacted by a security breach, and after a detailed forensics has been conducted it was determined that a nation state threat actor actually launched the threat variant. Would this be deemed as an act of war? That is a hard question to define, because from a legal standpoint, it can be looked at from many different perspectives.
But IMHO, I would classify it as an act of war, because the SMB owner suffered a direct attack from a foreign enemy. Btu what makes this so different is that it was launched in the digital world, bit the traditional land battlefield.
Also, our own court system would have a hard time defining what an act of war really is, especially on the Cyber front. The primary reason for this is because there is no legal precedence that has been established for it. For the other types of war, yes, there is plenty of precedence that lawyers and judges can use in a large amount.
But the sad news here is that insurance providers are trying as much as possible to avoid paying claims on the context of being a victim of war. One of the ways that they are doing this is by putting in clear and concise language that any Cyberattacks that have precipitated and that you have become of, will simply not be covered, much like Ransomware payments won’t be either.
An interesting question here is are third party vendors affected by this exclusion as well? After all, they were doing for a company, and if they get impacted, and in turn the third-party supplier does as well, will they be allowed to get payment if a claim is filed?
This is just one example of how murky this situation is, and the difficulty of defining what truly constitutes a Cyber War.
My Thought On This:
Unfortunately for the SMB owner, things are not going to get easier for them as they try to apply for Cyber Insurance and even file for a claim. Now, I am far from being an insurance expert, but I have written a lot on this subject matter (heck even wrote book on it just recently), but based on my knowledge, here is my two cents worth:
*Always have your Incident Response, Disaster Recovery, and Business Continuity plans in place and rehearsed. By having such plans in place, not only will you be able to recover in a quicker period of time, but you can also prove to the insurance carrier that you had such plans, and followed them to the letter. This will prove to them to a certain degree that at least you had the right controls in place before you were impacted.
*There are many carriers out there, so be extremely selective. Probably the best advice I can give you in this regard is to get a lawyer that specializes in just Cyber issues. There are many of them coming out today, so it should be too difficult to find a good one. As far as possible, have this lawyer get your insurance policy for you. That way, they can read through all of the legalese of the insurance contract, and make sure that you will be covered totally, also from the standpoint of being covered from Ransomware attacks and Cyber Warfare. Also, hopefully it never happens, but if you are impacted by a security breach, this same lawyer can also vigorously defend your rights in case your claim is denied for whatever reason.
*Always, as mentioned before, conduct a detailed forensics examination after you have been impacted. This is the only true to confirm if it was a nation state threat actor that actually launched the attack. If this was the case, then you will have a better chance of getting a payout on your claim.
But, if you already have a Cybersecurity Insurance Plan in place, or are in the process of getting one, don’t let your guard down. Keep being proactive. The fallacy in thinking here with many SMB owner is that because they already have insurance in place, they will get a payout no matter what. But the moment this happens, you have just increased your likelihood of not getting a payout!!!
For more, detailed on Cyber War exclusions, click on the link below: