For any business leader or CIO, navigating the world of cybersecurity insurance can be very complicated. It seems as if there are often more questions than answers, it can be difficult to know who you need to speak to in order to get what you need. This article will attempt to provide some direction, point out a few of the pitfalls, and help you to ask the right questions within your organization.
The goal of cybersecurity insurance is typically to transfer the risk from your organization to a third party for a cost that is lower than what it would cost you to address the risk internally. Cybersecurity insurance is one method of doing just that, but it doesn’t always do a great job of covering the complete cost associated with the breach or cybersecurity event.
In 2017, cybersecurity insurance has become increasingly complete, and the menu of options available to the insured are greater than at any time in the past. These policies used to cover only assets, business interruption, and some of the costs associated with remediation. We are now able to cover a far more broad set of risks, including forensic investigations, customer notification, credit monitoring, public relations, legal defense, and even regulatory fines. The array of options available can be dizzying, but if you know the right questions to ask you can build a policy that fits your organization.
The first step to building an appropriate cybersecurity insurance policy is to understand the risks that you wish to mitigate, and the assets that you wish to protect. For example, if your primary concern is brand reputation and not necessarily the physical assets themselves, you can dial down one part of the policy and dial the other up. Another common concern has to do with intellectual property. If your manufacturing firm with little or no digitally stored I.P. this may be an opportunity to save on your policy, whereas if you were a biotech firm this might be the most valuable set of assets in your organization, and protecting them would be a priority.
The next step would be to establish your organizations security maturity. Many of the policies will have a multipage application that asks questions about your information security policies, mobile device security, onboarding and all supporting processes, incident response, and regulatory compliance. While these are generally intended to provide the insurance company with a method for establishing your organizations risk profile, they can be just as useful to you for the same purpose.
The standards organization NIST has recently published some excellent guidance on establishing an organizations security readiness. For small and midsize businesses the document NISTIR7621 “Small Business Information Security” can help organizations to begin to establish where they stand. If a company has a high dependence upon technology for its operations, a large number of physical locations, or works within a highly-regulated industry such as healthcare, banking, or insurance, you may wish to consider bringing in 1/3 party with experience in establishing your security maturity.
Once you’ve established what it is that you’d like to protect, and have a feel for the sorts of risks your organization may or may not have, you’re probably ready to begin speaking with an insurance agent. There are a variety of different carriers that offer cybersecurity insurance, and not all of them are created equal. An independent insurance agent may be able to help you compare and contrast policies that best fit your needs.
It is important to understand that while a good cybersecurity insurance policy may cover some or all of the costs associated with the breach, the greatest cost to your organization may be the time that a breach takes away from achieving your strategic goals. Dealing with the breach and all of the issues that it tends to include can be very time-consuming, and resources that might otherwise be dedicated to growing your organization will be focused on dealing with the problem of the day. A good cybersecurity policy should always be accompanied by a solid security program, either one built from inside of your organization or with a third-party. It’s similar to operating a vehicle: you would never choose to have either automobile insurance or a driver’s education course. You need both in order to safely use your car, and operating a business is no different.
Want to chat more with our experts and see a list of recommended services to get you started? Learn More!