Along with the ever
so famous two guarantees of life known as death and taxes, there are certain
other things that we simply cannot live without. Now, I realize that this is a very open ended
to give to you, but purposes of this blog, I am talking about being business owner.
Depending upon the industry you are in, you will most likely
have employees, whether they be it on a part time, full time, or even a contractor
basis.
There are certain benefits that you will want to offer to
them, and if you can afford it, probably medical insurance would be at the of the
list, whether it is giving it to them directly or helping them get it at Obamacare. You will possibly have a small fleet of
vehicles, and of course, that will take car insurance. For the most part, getting these kinds of
insurances should not be too much a hassle.
But don’t forget, you are going to need yet another kind of
insurance policy – and that is for Cybersecurity. Before the COVID-19 pandemic hit the United
States, getting a basic policy was not too hard to do.
All you pretty much had to do was apply to a few carriers
that you felt comfortable with, sign the paperwork, and pay the first month’s
premiums. Then you were all set.
But given the sheer range of new attack vectors that have
from that, most notably of Ransomware, insurance carriers have now greatly
ratcheted up the requirements to get a policy.
For example, simply self-attesting to the fact that you have all of the controls
in place is not enough anymore.
You now have to fill out a rather long and detailed questionnaire
confirming that all needed controls are in place, and in fact, many of the carriers
are now requiring that an MSP or an MSSP sign off on it to confirm that the statements
are true.
If it is discovered they are not, you both could be under
some serious legal trouble, especially when it comes to perjury. But not only
this, now many of the insurance companies are also opting not to pay claims when
it comes to Ransomware payments. For
example, a company out of desperation may pay the fine, in the hopes of getting
their files back.
The next thing that the business owner will want to do is
file a claim to get the money back. But
most likely, that will not happen now. But now, the insurance carriers have
found possibly yet another way to keep the small business owner hanging out to
dry.
It now comes down to literally what an act of war is defined
as. Because of all of the turmoil that is
now happening on a geopolitical basis, if an SMB becomes a victim because of a
direct act of war, any claims filed will not be paid.
This is technically known as an “Act of War Exclusion”. It is really interesting to note that this kind
of exclusion actually has been in place since the start of the Spanish Civil
War. But of course back then,
Cybersecurity was a totally unthinkable topic.
So long story short, suppose you have been impacted by a
security breach, and after a detailed forensics has been conducted it was
determined that a nation state threat actor actually launched the threat variant. Would this be deemed as an act of war? That is a hard question to define, because from
a legal standpoint, it can be looked at from many different perspectives.
But IMHO, I would classify it as an act of war, because the SMB
owner suffered a direct attack from a foreign enemy. Btu what makes this so different
is that it was launched in the digital world, bit the traditional land
battlefield.
Also, our own court system would have a hard time defining
what an act of war really is, especially on the Cyber front. The primary reason for this is because there
is no legal precedence that has been established for it. For the other types of war, yes, there is
plenty of precedence that lawyers and judges can use in a large amount.
But the sad news here is that insurance providers are trying
as much as possible to avoid paying claims on the context of being a victim of
war. One of the ways that they are doing
this is by putting in clear and concise language that any Cyberattacks that
have precipitated and that you have become of, will simply not be covered, much
like Ransomware payments won’t be either.
An interesting question here is are third party vendors
affected by this exclusion as well?
After all, they were doing for a company, and if they get impacted, and
in turn the third-party supplier does as well, will they be allowed to get
payment if a claim is filed?
This is just one example of how murky this situation is, and
the difficulty of defining what truly constitutes a Cyber War.
My Thought On This:
Unfortunately for the SMB owner, things are not going to get
easier for them as they try to apply for Cyber Insurance and even file for a
claim. Now, I am far from being an
insurance expert, but I have written a lot on this subject matter (heck even
wrote book on it just recently), but based on my knowledge, here is my two
cents worth:
*Always have your Incident Response, Disaster Recovery, and
Business Continuity plans in place and rehearsed. By having such plans in place,
not only will you be able to recover in a quicker period of time, but you can
also prove to the insurance carrier that you had such plans, and followed them
to the letter. This will prove to them
to a certain degree that at least you had the right controls in place before you
were impacted.
*There are many carriers out there, so be extremely
selective. Probably the best advice I
can give you in this regard is to get a lawyer that specializes in just Cyber
issues. There are many of them coming out
today, so it should be too difficult to find a good one. As far as possible,
have this lawyer get your insurance policy for you. That way, they can read through all of the legalese
of the insurance contract, and make sure that you will be covered totally, also
from the standpoint of being covered from Ransomware attacks and Cyber
Warfare. Also, hopefully it never
happens, but if you are impacted by a security breach, this same lawyer can
also vigorously defend your rights in case your claim is denied for whatever
reason.
*Always, as mentioned before, conduct a detailed forensics examination
after you have been impacted. This is the
only true to confirm if it was a nation state threat actor that actually
launched the attack. If this was the case,
then you will have a better chance of getting a payout on your claim.
But, if you already have a Cybersecurity Insurance Plan in
place, or are in the process of getting one, don’t let your guard down. Keep being proactive. The fallacy in thinking here with many SMB
owner is that because they already have insurance in place, they will get a
payout no matter what. But the
moment this happens, you have just increased your likelihood of not getting a
payout!!!
For more, detailed on Cyber War exclusions, click on the link
below:
https://www.lmalloyds.com/LMA/News/LMA_bulletins/LMA_Bulletins/LMA21-042-PD.aspx
No comments:
Post a Comment