CIO

The Do's and Don'ts of Cyber Insurance

Many companies are discovering that they are increasingly vulnerable to cyber attacks. In Q3 of 2017 alone, 79% of companies faced cyber attacks. Inside the past year, 50% of companies report being attacked by hackers with a ransom motivation alone.

For many companies, cyber insurance is the logical answer to decreasing the risk and helping cushion the blow when they are hit by a ransomware attack. Like your general liability insurance, which protects your business from many of the financial threats it faces on a regular basis, cyber insurance helps provide your business with an increased layer of protection that will prevent you from being quite so financially vulnerable if you’re hit by a cyber attack that steals customer data or other sensitive information.

 In order to make the most of your cyber insurance policy, however, make sure you’re utilizing these key do’s and don’ts.

Do:

You’ve chosen a cyber insurance provider, and you’re ready to learn more about how to make that policy work for you. From choosing the ideal provider to selecting the tools you really need, make sure that you:

Properly estimate the potential cost of a breach for your company. Your cyber insurance policy, like other insurance policies, will provide coverage in the amount that you’ve purchased. Make sure that you’ve properly estimated the damage that can be caused by a cyber attack, including:

  • Notifying customers of what has occurred
  • Conducting damage control
  • The cost of lost hours and wages
  • Providing restitution for customers
  • Potential fees associated with poor cybersecurity protections

Know what type of coverage you need. First-party cyber insurance covers the direct damages associated with the cyber attack, including the costs needed to remedy the situation when private customer data is compromised. Third-party coverage, on the other hand, helps cover associated costs. Do you have legal fees because your app failed to provide appropriate customer compensation? Third-party coverage is designed to help pay for those fees and other associated costs.

Provide the highest level of protection for your business. Cyber insurance is designed to help cover the damages after your business has been attacked. That doesn’t mean, however, that you should take the risk of leaving your business unprotected! Help avoid key vulnerabilities by:

  • Discussing security best practices with your employees on a regular basis
  • Keeping penetration testing updated
  • Creating a response plan that will allow every employee to know how they should respond in the event of a cyber attack
  • Keeping software updated so that you don’t miss out on any important security updates, which could leave your business vulnerable
  • Going beyond industry compliance to help provide actual security for your business and your customers
  • Considering a VPN for your needs. A virtual private network can provide significantly enhanced security for your company, allowing you the confidence that goes along with increased security.

Educate your employees about what it means to maintain cybersecurity. While your employees must exist in an online world, many of them lack the basic tools necessary to provide true security for themselves, much less your business. You can opt to educate them yourself or to bring in an expert in cybersecurity to provide appropriate training on everything from how to recognize a phishing scam how to avoid going to a site that doesn’t provide the appropriate level of security. By recognizing these simple standards, your employees can become one of the most effective protections against attacks from the outside, rather than remaining one of the biggest vulnerabilities.

Know what your policy covers. Cyber insurance is one of the most important types of insurance you’ll acquire for your business–and it’s critical that you know what coverage it will provide. Take the time to read your policy and be sure that you fully understand exactly what is covered under its terms. Keep in mind that a more comprehensive plan may cost more to keep in place, but it will also provide a higher level of financial protection when your business is attacked. Review your policy on a regular basis, and make sure that you have contingency plans in place to cover any potential gaps in coverage.

Don’t:

Cyber insurance is an excellent tool, but it can’t fix all of your problems for you. These key don’ts will help you avoid potential traps in your cyber insurance policy. Make sure that you don’t:

Rely solely on your insurance policy to provide cyber protection. Your insurance policy might provide financial protection for your company, but it won’t stop you from being attacked in the first place. In many cases, you may find that the repercussions of a cyber attack extend well beyond the initial financial problems associated with the event. You may lose customer trust and struggle to regain your place in the industry, depending on the severity of the attack. Instead, make sure that you:

  • Conduct regular security assessments, including both vulnerability assessments and penetration testing
  • Use appropriate passwords and other security measures throughout your company
  • React quickly in the event of a threat to prevent future issues for your company
  • Have a solid cyber attack response plan in place that will enable you to move through the process and protect your company and your employees

Leave yourself vulnerable to a lack of coverage. You wouldn’t walk out the front door of your business at the end of the day without locking the door–and you certainly wouldn’t leave it open with a glaring sign saying, “Take me!” If you did, your theft insurance policy would likely fail to provide coverage for the items lost following this event. The same is true of your cyber insurance policy: if you don’t take the necessary steps to protect your business, you may not be able to count on your coverage to protect you. For this reason, regular penetration testing and a high level of security–not just industry compliance–is critical to the overall safety of your business, including ensuring that cyber insurance will kick in when you need it most.

Assume that cyber insurance will cover everything. While cyber insurance can help provide financial protection in a number of scenarios, there are times when it won’t provide the coverage that you’ll need. Cyber insurance is not designed to provide protection for:

  • Information stored on paper, rather than digitally
  • Device loss or theft, including loss of laptops, phones, tablets, and other devices that may be connected or logged in on the company network
  • Third party vendors who compromise your data
  • Data that is compromised due to a lack of encryption or other common protections

Ignore your recovery plan. You don’t just need to know how to protect your business. You need to know what will be necessary in order to provide recovery solutions for your business and your clients. Take the time to carefully plan out your response, including the potential costs, instead of simply leaving your recovery to chance. Then, when your business is attacked, you’ll be prepared for the next steps, rather than struggling to decide what to do next.

Cyber insurance is, in today’s world, one of the most valuable types of insurance you’ll acquire for your business. While you can’t guarantee that you won’t be the victim of a cyber attack, you can substantially increase the odds that you’ll be able to weather whatever storm comes your way–and provide your business with a higher level of financial protection that will make it easier to protect and keep customers who may have been impacted by the attack.

About the Author

Naomi Hodges is a cybersecurity advisor and a contributing writer at Surfshark. Her focus is primarily on innovative technologies, data communications, and online threats. She is committed to fighting for safer internet and pushing privacy agenda forward.