Well, Happy
New Year to everybody out there!!! Here is to be hoped that 2025 will see a decrease
in the total number of threat variants that not only impact businesses, but non
for profits, government agencies and individuals.
One theme that
is going to get a lot of attention, at least at the beginning of this year, is
Cybersecurity Insurance. Just like other
types of insurance policies, the thinking here is that if you merely file a
claim (provided that you actually do have the insurance) you will get a payout
to help recoup the costs that you experienced as a result of a security breach.
But as we
have recently seen with the health insurance industry, this is not such a sure
deal. Today, many carriers that offer
Cybersecurity Insurance require many things from the applicant before they can
even be considered. For example:
Ø
If
you are the business owner, you must fill out a lengthy questionnaire attesting
truthfully that you have all the controls in place to protect the PII
Datasets. Also, you must provide evidence
that you have taken steps to address the gaps and weaknesses in your IT/Network
Infrastructure. This is typically done
by either conducting a Penetration Test or a Vulnerability Scan.
Ø
After
you have the above, in most cases, your questionnaire must be certified by an
outside third party that you trust, or with whom you have worked in the past.
Ø
After
you have submitted all this stuff with your application, the insurance company
can still come on site to your place of business and conduct a random audit to
make sure that what you have attested to is correct.
But there are
also some other alarming stats as well, such as:
*From 2018 to
2022, premium rates have gone up year over year.
*In 2023, 79%
of US businesses experienced a dramatic increase in premiums.
*SMBs with
less than 250 employees were likely to be denied any kind of coverage, if they
filed a claim.
The last two
stats came from a whitepaper that was published by Delinea, which examined the
state of the Cyber Insurance Industry in 2023.
To get more details on this, click on the link below:
2024
Data Breach Investigations Report | Verizon
The bad news
here is that in 2025, along with the rising premium rates, it is even going to
be harder, and more complex, especially for the SMB to procure Cyber Insurance. But there are some key steps that you can
take first to make sure that at least the application you submit shows your
best foot forward to the underwriters.
Here they are:
1)
Understand
Risk:
Risk
is a very subjective term to define, and depending upon the industry, it can have
different kinds of meanings. But for
Cybersecurity, at least in my view, this metric represents how much downtime
your business can take (because of a security breach) before you start to incur
some real financial losses. The best way
to do this is to conduct a detailed Risk Assessment Analysis, to take an inventory
of and categorize both your physical and digital assets. Once you have done this and have ranked each
one to their degree of vulnerability, you will have a much better idea of what
your actual Risk Posture is. Also, the insurance
company will look at this and see how it compares to the overall average in the
Cyber Industry. If you find that your Risk
Posture is overall too high numerically, then you will want to take the steps
to bring it down before you apply for any Cyber Insurance. Of course, the more that you can lower it,
the better the chances that you will be given a policy.
2)
Understand
The Contract:
If
you have been lucky enough to be awarded a policy, you will first receive a
contract. It is imperative that
you review in detail over and over again. Cyber Insurance can be very tricky to understand,
and the coverage will vary greatly. Of
course, you will be covered for the direct costs that you incurred because of a
security breach, but the very murky areas are after the fact, such as paying
legal fees in case your lawsuits, regulatory fines, reputational/brand damage,
etc. Although I am by no means an insurance
expert, my best advice is to hire a really good lawyer that can review the contact
inside and out, and have him or her negotiate the terms of it with the insurance
company so that it will be much more favorable to you. You do not ever want to file a claim,
and have it rejected because it was not covered by your contract!!!
3)
Pay
Attention to Compliance:
More
than ever before, businesses both here in the United States and the European
Union are coming under very close scrutiny of the Data Privacy Laws, most
notably those of the GDPR, CCPA, HIPAA, etc.
As a result, the insurance company that you have applied to for a policy
will want to make sure that you have taken every effort to mitigate the risk of
being audited by any of them. The primary
reason for this is that the financial penalties can be quite steep, and the
insurance companies do not ever want to pay out such a huge amount if a claim
was filed under this circumstance.
My
Thoughts on This:
Filing for
Cyber Insurance is going to be just as bad as doing your tax returns, in the
amount of time that it will take to prepare the documents. Thus,
in this regard, it is very important that you keep copies of all of your
documents, and keep records of all of the Cyber Risk Assessments that you have
done.
Once your policy
is up for renewal, you will want to show the insurance company each detail as
to how you have overall fortified your Security Posture.
Obviously, it
is not easy to get Cyber Insurance, but it can be done. It will just take a lot more due diligence on
your efforts to make sure that every “I” has been dotted, and that every “t”
has been crossed.
Finally, once
you are awarded a policy, do not take your pedal off the gas pedal. Keep taking those efforts to keep your
Security Posture strong over the long haul.
In the end, Cyber Insurance is meant to supplement, not replace the need
to be very proactive about the Cyber Threat Landscape.
