For many years, organizations had limited options for addressing data protection risks. A company could never eliminate risk, but they could try to reduce or mitigate it. In the last 20+ years, cybersecurity insurance has added risk transference to the available palette of palliative choices. However, it is only recently that many companies have explored how insurance can protect from losses due to a cybersecurity incident, as well as protection against litigation as a result of the event.
The function of cybersecurity insurance
It is important to first understand the function of cybersecurity insurance. It is a financial loss coverage method for security and privacy incidents. It does not protect against physical damage; this would traditionally be covered under a property or casualty insurance policy. It can, however, cover cleanup costs of an incident, and liability arising out of it.
Cybersecurity insurance was originally designed to cover data breaches as a result of U.S. regulations. For example, credit monitoring and breach notification costs were the focus of early policies. As privacy regulations, as well as cyber risks increased, insurance covering these challenges has grown in popularity for many organizations. This is a direct result of the frequency of ransomware attacks, as well as the higher ransom demands of the cybercriminals. The reality of the risk has driven organizations to seek solutions, both technically and administratively.
From an insurance perspective, the industry has had to adjust its approach to better underwrite the risk. Initially, an insurer would only ask simple questions, such as if a company was encrypting data and what the recovery plan was. With the rise of ransomware, insurance companies have increased their technical knowledge in order to better assess a company’s insurability.
What does cybersecurity insurance cover?
|First-Party Coverage||Third-Party Coverage|
|Damage or loss of data||Network security and privacy liability|
|Loss of income||Media liability|
|Cyber extortion / ransomware||Regulatory proceedings|
The key controls you need
An organization with key controls in place will allow them to seek the broadest coverage. While there is a list of items that should be part of a good security plan, the three critical items on the list are:
- Multi-Factor Authentication (MFA).
- Patching cadence.
- Incident response plans.
MFA is perhaps the most important control to have in place in an organization. Danna echoed this sentiment:
“The majority of data breaches in recent years have all been accomplished through credential compromise. Criminals no longer need to break into organizations. They simply log in with stolen credentials, and the dark web market for stolen credentials is thriving.”
The good news is that more organizations are starting to understand the importance and benefits of MFA and are surprised at how easy it is to deploy it within their environments. Cybersecurity insurance is dependent on some controls being in place, and the absence of these controls can either mean a denial of coverage or extremely high deductibles. It would seem that the insurance companies are incentivizing MFA with greater effect than regulations have been able to achieve.
Cybersecurity insurance was created to respond to U.S. regulations. However, as the global economy has evolved, there are regional considerations that must be observed by organizations seeking insurance. When evaluating a cybersecurity insurance policy, it is important to know the territory it covers; it should be global in scope. Along with the global reach, the policy should have broad regulatory reach.
With all of the new privacy regulations that are emerging, it is critical that your insurance contemplates these developments. Fines and penalties may not be coverable, so it is important to know that. Another important element to understand is that payment over disparate domiciles must also be addressed, particularly in restricted countries.
The value of information that is being gathered as a result of the attacks should not be underestimated. The threat intelligence that is collected from security organizations and insurance entities can be a source of beneficial partnerships. This can be especially valuable for smaller organizations that do not have the resources to guide them towards best practices, as well as the implementation of controls. This could also help them to qualify for cybersecurity insurance.
A partnership of this type can also be important, as various governments are now making ransomware payments illegal. This is especially relevant in the U.S., where the Office of Foreign Assets Control (OFAC) publishes a list of countries that are restricted from trade with the United States. Along with that, the insurance industry is not going to facilitate ransomware payments.
Robust Security - Check!
One advantage of cybersecurity insurance assessments is that there is a level of “cross-pollination” that can occur. For instance, the assessment form can also be used as a checklist for regulatory compliance and risk appraisal within an organization. All of these can add confidence that robust security is in force in a company.
It all goes back to controls. Just as a person is given “good driver discounts” for automobile insurance, organizations can do the same if they can show that they are protecting their assets as carefully and diligently as possible. To hear more of my conversation with Neira and Danna, tune into the Thales Security Sessions podcast.