Imagine you’re a large well-known company, and you’ve just found out your database has been breached. 3,000,000 files have been compromised, resulting in a loss of $5,000,000 in settlement. Your company’s bank account starts to dwindle, and you may be looking at potentially having to lay off employees. What could have been done to prevent this?
Cybersecurity insurance is something you should invest in and has seen drastic growth in recent years. It started as a rarely sought coverage. Though, it has now grown into a business necessity. Anyone can experience cyber-attacks, so companies and businesses especially need to be looking into investing in the protection of their valuable information and devices.
Growth of Ransomware and Cyber-Attacks
Insurance companies have seen their clients experience an increase in ransomware and business emails becoming compromised in the past few years, resulting in them losing tremendous amounts of money. The insurance companies had to pay out on the coverage for these organizations that could have done better to prevent these attacks if the necessary precautions were taken.
A real-life example of a coverage claim being denied would be an incident such as Cottage Health System vs. Columbia Casualty Company. It all started when Cottage Health System experienced a data breach. Of course, the following procedure was to contact their cyber insurer, Columbia Casualty company, to make a claim for coverage. However, Columbia Casualty Company denied them and issued a declaratory judgment against them.
Why? Cottage Health System did not follow the terms of its policy, which included maintaining specific minimum risk controls. This was a condition in their coverage, in which they failed to uphold their part of the agreement. Thus, Cottage Health System’s claim for cyber coverage was denied. All in all, the wrong steps were taken and the company did not take proper precautions to harden its network infrastructures.
For a long time, the cyber insurance industry was rarely moving. It experienced continuous low popularity. However, in 2020 after the COVID pandemic, there was a dramatic increase in cyber-attacks. Cyber-attacks can be multiple things, but it’s known primarily as malicious maneuvers targeting computer networks, infrastructures, smartphones, or personal computer devices in order to access protected information. Many people worked from home during the pandemic, so more people were using their computers on their home networks. Thus, more cyber-attacks resulted as well, and the numbers are still climbing today.
In “23 Terrifying Cyber Attack Statistics to Know in 2022”, it was reported that around 2,200 cyber-attacks happen each day. Cyber-attacks can be extremely detrimental to companies. Private/valuable information can be leaked and networks can be brought down, leading to possible lawsuits as well as losing millions of dollars in settlements and damage control.
As a technology company in the game since 1976, we at Usherwood have first-hand experience with the does and don'ts of cybersecurity and managing a cybersecurity insurance policy. Here are the top five requirements for obtaining and maintaining cybersecurity insurance coverage, ensuring you and your company are appropriately protected and will not see your claims denied.
You Need Multi-Factor Authentication for Your Business
You may have experienced multi-factor authentication (MFA) at some point on your devices. Whether that be your phone or computer, you have probably had to type in a code provided through a text message or answered an email agreeing it is indeed you trying to log into your account from a new device. This is what multifactor authentication does—it double-checks the authenticity of the user's identity.
For example, leaked wire transfer information can cause companies to lose lots of money. If the user had MFA, important information could avoid being compromised by hackers, malware, or ransomware. If the wrong person gets access to a company email, millions of dollars could be transferred to the wrong account and disappear. A company could take a critical hit. If they reported this instance to an incident response firm and didn’t have MFA, they most likely would have their claim denied because a multifactor authentication could have easily prevented this. A good example of this sort of incident is seen in Insurance Journal’s article “Travelers Wants Out of Contract With Insured That Allegedly Misrepresented MFA Use”, in which Decatur did not meet the conditions of using an MFA for its coverage agreement.
In the cybersecurity insurance company's eyes, this incident easily should have been avoided, meaning the company's lack of investing in commonplace security is at fault. It's naïve to think any company or business isn't at risk of a cyber-attack. Therefore, a company needs to follow the requirements of its cyber insurance policy. If any cybersecurity insurance company thinks you are not upholding your side of the coverage agreement by not having the protocol precautions in place, your claim will most likely be denied.
Endpoint Detection and Response are Essential to Cyber Security
What is endpoint detection and response (EDR)? EDR in summary—detects incidents, investigates alerts, remediates incidents, and restores the network to an uncompromised state. It's the new and improved version of antivirus and is more signature-based. Signature-based means it's security software identifying bits of code related to a particular type of malware.
EDR assists with always making sure the device is being updated and protected if any malware is found. Then it uses the standard functions and processes to determine what is appropriately running and what isn't. It'll check for anomalies and react immediately if it sees anything remotely suspicious.
Again, having something like EDR helps ensure you’re meeting insurance policy requirements. You’re not coming into everything with a blind eye or failing to uphold your part of the coverage agreement. Cybersecurity insurance coverages aren't completely managed like they used to be—a more complicated world of technology now requires the business-in-need's compliance.
A Third Party Should be Supporting Your Company’s Cyber Security Efforts
Not only do you have to have an endpoint detection and response, but you also need to have your security measures, such as EDR, supported by a third party. What does this mean? A third-party company should be responsible for the liability protection of your company should there be a data breach or cyberattack. This ensures that the legal costs, settlements, and judgments of any possible cybersecurity lawsuit will be settled, and your claims won’t be denied.
Why Third-Party Support is So Crucial
A third-party company backing you up is another defense between you and malware or cyberattacks. Your business has more advanced functionality and your company needs to be on the lookout 24/7. Hence, you must establish a backup defense if anything slips past your first line of defense. Working with a third party can give you more insight into what you're dealing with. If one company misses something, the next one can be right there to catch it before something harmful happens.
Maintaining your cybersecurity is a team effort. At the end of the day, you want to ensure you're taking all necessary precautions and carefully setting up your own army to fight back against cyber enemies.
The Importance of Having All Your Facts Straight in Cyber Security
One of the most important things for getting cybersecurity insurance coverage is ensuring you are completely transparent and informative. This means not answering questions simply by saying yes or no. Clarification is crucial. Lack of clarification can be why cybersecurity claims are sometimes denied. Yes or no answers are too definitive, too black and white. If you want those at the cybersecurity insurance agency to seriously consider you, be upfront and honest about your situation.
How The Insurance Company Handles Your Claim
In the event of a claim provide as much detail as you can. You will most likely have to fill out a questionnaire —do so carefully and thoroughly. Take the time to look over everything and make sure you have supportive information on your side. The insurance company will require you to bring in an incident response team in the event of a cybersecurity incident. That team will basically take a forensic account of the whole situation. They will look at the event and determine who is at fault and why, and whether it could easily have been avoided.
Typically, insurance companies are looking for any reason to deny your claim. They will scrutinize your business and your incident. They'll connect the dots between what you told them and what evidence they found themselves. If something doesn't match up, it won't look good. Your claim will be denied. Saying yes to everything is not the answer.
Initiate Your Own Cyber Security Training
Lastly, giving yourself and your company cybersecurity training will only lead to beneficial outcomes. Don’t display care about getting insurance once something has already happened to you. Take the time to properly educate yourself and your team on how to prevent a cybersecurity incident. Make this training a collaborative effort to protect what matters to you.
Educating yourself and other employees on what to look out for and how to avoid or handle certain situations would be best. If you can't personally offer it, that's where your third-party support or cybersecurity insurance will come into play. But you need to tackle cybersecurity insurance in a timely manner. Cybersecurity insurance is worth the work if it ends with helping you sleep better at night knowing your company is properly protected. That can only be possible with the effort and work on your end, though.
Although Usherwood does not offer cybersecurity insurance directly, we provide our Managed IT clients with both the tools and guidance to obtain and maintain proper cyber insurance coverage.
