Over the last few years, one of the more frequently mentioned topics among Boards of Directors and Executive Management has been Cyber Liability Insurance. Many Information Security and Risk Professionals have been aware of this product and its benefits, and in most situations, were the ones who brought it up to BODs and Executive Management. This post is intended to give a brief overview of Cyber Liability Insurance, why it is needed, considerations for purchasing, and recommendations on improving your security posture.
Cyber Liability Insurance Overview
Cyber Liability Insurance is a separate policy written for businesses that are consumers or providers of technology services or products that covers liability, property losses, and expenses associated with cyber incidents. For companies with a high level of IT related risk, Cyber Liability is a risk response (Transferring of the Risk) chosen by the organization to mitigate the identified risk to an acceptable level. It is important to remember that Cyber Liability Insurance is not a “silver bullet” and that only the financial burden of an incident is covered; the company must still answer to the fallout.
Underwriting and Execution
Typically, Cyber Liability Companies will scrutinize your Information Security Program, ask about prior incidents, and understand your business environment through questionnaires and research. They will ask about concepts such as asset management, incident management, encryption, anti-virus, types of data, and where the data is stored. This is all done so that they can quantify your risk and set premiums. The insurer will offer different coverage based on whether you are a consumer or a provider of technology services.
If your company experiences a cyber event, the insurer will deploy it’s network of specialized vendors to investigate, remediate and recover from the incident, notify those affected, and assist with your litigation defense. The insurer has already pre-selected these vendors and they will be coordinated by the insurer at the appropriate times. Be sure that any work covered by the policy is performed by the insurer's vendor or you may not be reimbursed for those costs.
Plans will have coverage maximums, deductibles, and premiums, just like other insurance products. Reviewing your options carefully and understanding what type of coverage you need will allow you to properly shop and select the right product.
Most Cyber Liability products will cover cost related to Errors and Omissions, Media Liability, Network Security, and Privacy. The insurer will offer different coverage based on whether you are a consumer or provider of technology services.
Policies cover first party cost, those costs that you incur as a direct result of the incident, and third party cost, which are the costs that are incurred from litigation or fines as a result of the incident.
First Party Cost
- Forensic investigations
- Legal Advice
- Notification Costs
- Credit Monitoring
- Public Relations
- Business Interruption
- Cyber Extortion
Third Party Cost
- Legal Defense
- Settlements, damages, and lawsuits related to incident
- Regulatory response costs
- Regulatory fines
Why do you need it?
It doesn't take much to find a headline of the latest information security breach or ransomware attack. It's not a matter of if you will be compromised, its a matter of when.
- According to the Ponemon Institute's 2016 report the average cost for a breach in the US was $7 Million and the average cost per record was $220.
- In IDG's "Global State of Information Security Survey 2016," respondents detected 38% more cybersecurity incidents than the year prior.
- Additionally, 48% of data security breaches are caused by acts of malicious intent, with human error or system failure accounting for the rest. So even if there were no "bad guys," you still have to worry about attacks or mistakes from your own staff and systems.
- According to the FBI, "Business E-mail Compromise" has cost U.S. businesses almost $1 Billion from Oct. 2013 to May 2016, impacting over 14K users.
The threat surface is growing at a rapid rate and will continue to grow; there's more connected users and IP connected devices, consuming more data than ever before that provide new threat vectors for criminals and insiders to exploit.
Everyone's a Target
Regardless of what industry you're in, you're a target. Health Care and Banking are the major targets, but phishing campaigns can end up in anyone's inbox. Companies also underestimate the value of their company's data and think that they are not a big enough fish. But as we learned with the Target breach, the hackers were able to get in through the compromise of an HVAC company that had network credentials to Target's system. Small and mid-sized organizations (SMBs) are hit more than you think, according to Keeper Security’s “The State of SMB Cybersecuirty” report, 50 percent of small and mid-sized organizations reported suffering at least one cyberattack in the last 12 months.
Should you get it?
A few steps should be taken prior to purchasing a policy. You should first check any existing general liability policy that your organization has, to understand what is currently covered and what is not. Your organization, or contracted third party, should perform an enterprise security risk assessment. The organization needs to understand it's assets, technologies, potential exposure, and regulatory requirements before shopping cyber liability coverage. Review all policy options and caveats; based on your risk assessment, you should ensure that your highest risk scenarios are properly covered. Some insurers will provide customized plans, but you may end up paying higher premiums, so be diligent and shop around. After you understand your current coverage, your organizational security risk, and have pricing, a cost benefit analysis should be performed. The decision should involve your BOD or Executive Management; I can assure you that heads will roll if a breach occurs and the decision to not buy Cyber Liability Insurance was made without their knowledge.
Another Option: Incident Response Retainer
An Incident Response Retainer is designed to respond rapidly to a security incident in hopes of minimizing damage, system downtime, assisting with the appropriate response, and helping you recover in a timely manner. Typically a trusted/experienced security firm will offer these services through a pre-paid block of hours for a calendar year. There are many benefits to the IRR:
- Quicker response time: IRR's will assign a designated security professional that will be your contact point
- They are already familiar with your systems: Upon signing the contract, your company will brief your IRR contact on your business model and infrastructure.
- Get value from unused hours: Unlike a premium that is lost when you don't have an incident, your block of unused hours can be used for other things before the year is out (IR Test Plans reviews/creation, Mock Incidents, etc)
- Can still be layered with a cyber liability plan: Similar to other insurance, you don't want to file too many claims that may increase your premiums. You can utilize the IRR for smaller incidents that wont meet your deductible.
Improve Your Information Security Posture
Whether you go with Cyber Liability Insurance, an IRR, or decide neither; you will need to face the music and improve your information security program as soon as possible. Its painful to executives because of the perception that the ROI is not there, but it's a necessity in the today's world.
Key items to have in any Information Security Program:
- Perform an Information Security Risk Assessment
- Educate and get buy-in from Executive Management
- Create/update an Information Security Policy
- Create/update an Incident Response Plan
- Create/update an Enterprise Risk Management Program
- Implement some level of technology controls (Based on RA)
Sparkhound is here to help!
Leveraging institutional knowledge of the key industries in our area with the understanding of how technology secures your environment puts Sparkhound in a position to better deliver key competences around information assurance.
- Security Program Governance
- Risk Management
- Cyber Security
- IT Compliance & Governance