On Thursday, December 7th, Usherwood Office Technology hosted a webinar entitled “Is Cyber Insurance a Critical Part of Your Cyber Attack Survival Kit?”. Tucker Lounsbury, President of NBT Insurance joined Usherwood VP of Managed IT Services Stewart Walts in a discussion about the ins and outs of cyber insurance. Topics included what costs are typically covered by cyber insurance, how to qualify for a policy, and things to keep in mind when assessing your business’ cyber-attack risk factors.
What Cyber Insurance Covers
During the Webinar Tucker discussed the different expenses that cyber insurance covers in the event of an attack. There were two main types of cyber insurance claims that policies cover, including first-party and third-party claims.
First-Party Insurance Claims
First-party claims include any costs associated with the policyholder’s cyber-attack “clean-up”. This might include the cost of an investigation from outside vendors, cleaning up the mess that the attack caused, and notifying affected parties of the breach. This also includes coverage of any lost revenue and other business interruption costs, which Tucker also mentioned.
These are all factors to think about when setting up your policy, Tucker said, as you’ll need to set the right limits for specific first-party costs.
Third-Party Claims
Third-party claims refer to costs from outside parties due to lawsuits, fines, and other resulting damages from data breaches or losses.
“Somebody that was affected by your breach [might] sue you, and you’re going to have a third party claim that’s going to come from a customer or an employee that has lost their personal information or their health information, and [you’re going to have] a lawsuit for that,” Tucker said.
What Cyber Insurance Does Not Cover
When the conversation shifted to what might not be covered by cyber insurance, Tucker explained that a breach linked to a failure to update software with current patches can result in insurance claim denials in the event of a costly breach.
“They want to make sure you don’t have any neglected software issues,” Tucker said. “If you don’t stay current on those, there is now exclusionary wording in some policies. You’re going to have some skin in the game if there’s a claim and they find that you’re not staying current within reasonable amounts of time to patch all of those different software programs.”
Tucker went on to explain that there is at least some coverage for things like government fines, so it’s important to read the fine print in your policy. He mentioned that crime insurance also factors in, as some businesses still fall victim to scams like phishing and vishing. Crime insurance can help cover those losses. Overall, he said, costs resulting from neglected cybersecurity are likely to result in denied claims, and therefore not covered.
Cyber Insurance Policy Requirements
The cyber insurance market is a changing landscape, as more cyber attacks and tactics are discovered every year. This also makes it tougher to qualify for a policy, as cyber insurance brokers don’t want to be responsible for businesses that are at greater risk of a cyber-attack. Some of the requirements include:
- Use of Multi-factor Authentication
- Endpoint Detection and Response
- Vulnerability Management
- Strong Data Backups
Industries That Involve Greater Risk
There are some industries that Tucker said are at greater risk for cyber-attack. This is because some types of businesses deal with particularly sensitive information. Cybercriminals will capitalize on this, and target these businesses since they have more leverage when holding data or assets hostage.
Healthcare
Businesses in the healthcare field are at particular risk, as Tucker and Stewart explained. This is due to HIPAA-protected data that they are responsible for protecting, which can make a breach much more serious. This has made policies for this field more expensive, Tucker explained. However, they come with more coverage and specialized verbiage designed to help healthcare businesses recover from costly attacks.
To read more about the impact of cyber breaches on healthcare businesses, check out our blog: Is Cybersecurity Really That Big of a Deal In Healthcare? Risks of Healthcare Data Breaches.
How to Fill Out a Cyber Insurance Questionnaire
Cyber insurance companies require policy applicants to fill out a detailed questionnaire to determine if their business is secure enough to qualify. This is to ensure that the applicant isn’t at high risk due to a lack of sophisticated cybersecurity protections.
“The questions on these questionnaires are often black-and-white, yes-or-no questions,” said Stewart. “The answer to these questions is often not just ‘yes’ or ‘no’. There’s often some grey area there.”
Stewart mentioned that MSPs like Usherwood will help clients answer parts of these questions, providing context and outlining the “whole story” of a client’s cybersecurity standing.
He emphasized they need to be as detailed as possible when filling out these forms. Get familiar with your organization's tools such as MFA, EDR, and phishing training before you fill out the questionnaire. The more details you provide, the better your chances of getting approved.
Additional Ways to Prepare Yourself
As the webinar wrapped up,
Tucker mentioned that a good way to prepare yourself for a possible cyber-attack scenario is to complete incident response planning and define who will be on “your team”. Your team typically would include external personnel who would take the lead in legal, forensic investigation, potential ransomware professionals, and public relations if your business suffered a breach. It will include your cyber insurance agent, C-suite executive team, and IT team internally.
“You’ve got to know who to call,” Tucker explained. “You’ve got to get a third-party forensic firm in to diagnose what exactly happened. You’re going to want to have an attorney/cyber incident coach that can take the lead and make sure you’re handling the scene of the crime properly,” he said.
Once you have identified your threat response panel, then you can do “tabletop exercises” to act like fire drills for your team. If a breach happens, who will handle each task? Who will work on notifying those affected? Who will lead the investigation into what went wrong? These are all details that should be ironed out before an attack, so you have a plan in the event of it happening.
“You need to know who all these providers are. The only way you know who that is, is by working with your insurance providers before the incident,” Tucker said.
How to Level Up Your Cybersecurity Strategy
The first step in preparing to apply for a cyber insurance policy is to properly assess your current security risk level. Partnering with a reputable IT services provider is a great place to start. If you’re serious about protecting your business by mitigating the real threat of cyber-attacks, click the button below to get our exclusive, free cybersecurity checklist.
