3 steps to take before you buy cyber insurance

Oct. 18, 2016
Performing due diligence prior to purchasing a policy is critical

Hacktivists and criminals are continuously seeking and discovering new ways to exploit vulnerabilities. Although organizations are working hard to remain one step ahead of attackers, we will never be able to prevent all potential attacks. We are living in a world where new threats are developing as fast as the technology to prevent them in a cat-and-mouse game. In light of these facts, two things are becoming clear to businesses of all types and sizes: One – if you suffer a breach, it will cost you, and two – you will suffer a breach.

Estimates have pegged the global cost of online crime to be more than $400 billion yearly and constantly growing. The threat landscape itself is increasingly expanding and growing more complex, encompassing cloud-based technologies and services, smartphones and other mobile devices, the Internet of Things and more.

When responding to the increasing number, types and costs of threats, businesses tend to follow a predictable pattern. Some will deny risk exists or question its validity. Others will take token steps toward prevention that will actually have zero effect on their exposure. A third and growing group, however, will take these threats seriously enough to consider purchasing cyber insurance policies to offset any exposure remaining even after making an effort to increase their security. Cyber insurance is designed to provide coverage for an organization’s liabilities – internal and external – in the event of a breach but because this is still a new and developing market, purchasers and underwriters face a variety of new demands and challenges.

For businesses, these demands include understanding true risk, taking specific measures to address that risk, and determining exactly what a policy is expected to cover. With these in mind, it is critical that businesses take three important actions before even considering, let alone purchasing, cyber insurance.

1. Evaluate Exposure and Protection

Before an insurer will underwrite a cyber policy, the organization must first demonstrate a complete understanding of their risk exposure, as well as the true need for protection. This knowledge validates an organization’s seriousness when it comes to cybersecurity and will allow insurers to create a policy that is most relevant to that particular business.

A comprehensive risk assessment, whether done in-house or by a third-party contractor, will highlight gaps in security and highlight critical areas of risk that may need immediate attention. The assessment will help an organization prioritize actions and develop a strategic plan for ongoing risk management, including a timeline for any required actions. The organization can then share this information with a potential insurer to demonstrate that it takes information security and risk management very seriously.

2. Take Preventive Measures

No insurance policy is a complete security solution and is certainly not a license to be reckless. Policies are written to avoid covering high-impact scenarios that could easily have been prevented, such as an individual sending someone a large amount of money without a full vetting process or any secondary validation.

Like any insurance policy, cyber coverage is not a replacement for preventive security measures. Therefore, insurers will demand that certain steps be taken and measures implemented prior to even considering writing a policy. Organizations that are serious about addressing risks are those that implement a security framework that includes both technology and process controls to prevent breaches – and consider an insurance policy as a supplement to, rather than a replacement for, the risk-based security program they’ve implemented. The importance of having preventive measures in place before looking to insure assets cannot be understated.

3. Assess Coverage

As with any type of insurance, there are many different types of cyber policies with varying levels of coverage. Therefore, it is vital that an organization be sure to read the fine print and understand just what each policy covers and, more importantly, what it does not cover.

Unfortunately, organizations often take out cyber insurance policies without performing this due diligence or researching the range of available policies, what they cost and what they cover. Because this is a new and evolving area of insurance, there are no standard policy terms or language for cyber insurance.

One important coverage consideration is whether data held by a third party or stored in the cloud is covered. It’s also crucial to understand what actions – or lack of action – could potentially invalidate the policy. These may include failure to keep current with security updates, breaches initiated from an employee’s personal device, former employees still having access to systems and other factors – many of which an organization may not even think of. Given the complexity of these agreements, it’s a good idea for organizations to hire an attorney to review policies.

In our connected world, businesses of all types and sizes rely on their IT infrastructure to a growing degree. At the same time, given the sophistication and relentlessness of today’s hackers, networks are constantly under siege. As a result the convenience and efficiency enabled by connectivity also introduces risks associated with business interruption, financial loss, reputational damage and more if a network is breached. Therefore, organizations should seek cyber insurance coverage to supplement, not replace, strong network security technologies and practices, as well as reduce the impact of a breach. But only those companies that take these three important actions before they buy will be sure they’re getting exactly what they think they’re paying for in a cyber insurance policy.

About the Author

Christopher Camejo | Director of Threat and Vulnerability Analysis, NTT Security

Christopher Camejo is director of threat and vulnerability analysis at NTT Security.