Cyber Insurance – Needed???
A few weeks ago, I had recommended to a client that they should purchase Insurance instead of implementing specific controls in their environment to mitigate a particular risk. The client was not aware that this was an option and thought that General Liability Insurance provided coverage. Once I explained that liability insurance is very limited and can protect from financial losses, it does not cover cyber related incidents.
Deciding if Cyber Insurance is needed requires a bit of time to evaluate the data asset and calculate the potential for the threat to be realized (does anyone remember the risk equation?). Once those variables are determined and calculated, a value for Risk is achieved. It showed that the cost to implement the control was greater than the cost of transferring the risk to the insurance company. Now… this isn’t the only thing to consider when determining if Insurance should be purchased. A couple of examples are – small to mid-size companies are bound by third party audits or the company handles sensitive information. It will take a bit of time to determine if purchasing Cyber Insurance is right for your organization but there is a benefit that isn’t always quantifiable at first, but it has a huge impact on business – name recognition and reputation. Can your company recover from a tarnished reputation?
Once the determination that Cyber Insurance is needed to cover items that may not be feasible to mitigate in house for what ever reason, the next step would be to consider what type of insurance is needed. At this point, it is highly recommended that you engage with an Insurance Broker that can assist with this question. Each company has different needs and requirements, cyber coverage can include things such as data loss, extortion, theft, breeches and denial of service attacks. Having them walk through the process will make sure proper coverage is obtained. Improperly filling out the questionnaires can lead to not having enough coverage if a breech occurs. A trustworthy broker can help navigate these questions while advocating on your behalf for the best package.
Once the policy is in place, make sure that your company is performing their Due Diligence when protecting the assets. If an incident occurs and the Insurance Company determines that the company did not meet the minimum requirements in protecting the data, the claim can be denied.