Cyber Insurance: 7 Questions To Ask

Uploaded on 2017-04-03 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

Cyber insurance is a growing field putting business and security leaders to the test as they navigate the often tricky process of researching and purchasing policies. Technology is quickly changing, and so is risk.

Insurance for cyber-security is different from other types of insurance because the nature of threats is constantly changing. A hurricane doesn't change intensity because a building code changes, but cyber-criminals will change their strategies as technology and risk evolve.

"New trends like BYOD, and IoT make tech strategy change all the time," says Portnox CEO Ofer Amitai. "It's really a problem for businesses to assess their policies and terms. Technology is so dynamic. It's difficult to say what's going on; what's their risk." 

These changes make it harder for underwriters and companies to stay abreast of the landscape. During the tricky process of buying cyber insurance, you'll ask and answer questions about your company, security posture, and other factors to determine which policy is best for you, and how much coverage you should buy. 

It's worth noting the research process is changing for businesses as the marketplace gets more competitive, notes David Bradford, chief strategy officer and director of strategic partner development at Advisen. Because insurers are fighting to underwrite the same businesses, they're making the purchasing process less burdensome for clients.

That said, insurance remains a tricky field to navigate, especially for companies new to it.

1.What am I afraid of ?

A key step in buying cyber insurance is figuring out what to protect, Amitai explains. This goes beyond the common concerns around customer and employee data to include things like brand reputation.

If a data breach hits, your business will need to worry about more than IT damage. The cost of public relations expertise, to recover a brand name following an attack, may not be covered under a cyber insurance policy.

 2.Cyber insurance is data breach insurance, right?

Oftentimes companies perceive cyber insurance as data breach insurance but it is important to understand breaches make up one portion of cyber insurance coverage. 

Policies also cover the cost of forensics, legal fees, business interruption, and a whole variety of expenses incurred related to a cyber incident.

3.Where do my Exposures lie?

Many companies struggle to purchase insurance because they don't know where their weaknesses are. Risk assessments help them identify their exposures, where their greatest vulnerabilities lie, and which assets are most vulnerable. Where does sensitive data reside? For multi-national firms, how large and varied is your attack surface? Are you protected in all the areas where sensitive data is stored?

Because cyber insurance is a fairly new field, companies often neglect to do this. Quantifying risk is a critical step in determining how much insurance coverage to buy.

4.What is the potential damage?

Once you determine your most critical assets and where your vulnerabilities lie, it's important to gauge the likelihood and potential cost of an attack. Which scenarios do you care about? 

How much will it cost if your most valuable information is exposed to cyber-crime? This number is likely to change as businesses adopt new technologies like cloud, mobile, and IoT, all of which will increase the attack surface and potential cost of a breach.

Cyber insurance isn't a replacement for strong security measures, and businesses should continue to change their strategies to acknowledge the risk these products will bring.

Insurance is something you want to have in place, but it's not a replacement for best practices. It ensures a loss and you won't have to close the business if you get a major breach.

5.How does the size of my business affect my insurance policy?

Small companies undergo a simple insurance application process. They may answer four to five questions that don't require investigation; for example: Do you have a firewall? Do you encrypt at-risk data? Inquiries won’t go much deeper than that, and smaller businesses will be given a fixed price for their risk.

The process gets more complicated for mid-size organisations, which typically answer a questionnaire about the security controls they have in place. They will provide information about firewalls and other data protection policies, data access and recovery, outsourcing, and compliance.

Larger businesses have to do the most work in developing information for underwriters. Insurers typically require an audit of most big organisations. Underwriters have to speak with CISO, CIO, and IT teams, making the process burden-some and complex.

6.Where are there gaps in my policy?

Given the range of cyber insurance policies, businesses need to put in their due diligence to determine which one is right for them. 

One of the biggest problems with cyber insurance is organisations don't have a firm grasp of what is and isn't covered. Many make the mistake of not buying the correct amount of the insurance that best suits their needs.

Different types of businesses face different threats. Misunderstanding your policy can lead to some unfortunate outcomes. What happens if a hacker breaks into a medical device and causes physical harm? Is bodily injury covered under your insurance policy? It's understandable to think so, but this isn't included in many plans.

Manufacturers, another example, are exposed to property damage. If someone hacks into their control system and wreaks havoc in production, the business may expect their cyber-insurance policy will cover it. Many of them don't.

7. How can I make sure I'm doing this right?

Experts recommend consulting a broker when things get difficult, but to choose with caution. There are some excellent brokers in the field, but many are so new they don't have enough experience to effectively advise clients.

Work with a broker who has domain expertise in cyber insurance. This is important because cyber insurance policies vary from carrier to carrier. Auto policies, for example, are generally similar. Cyber varies in language and policies.

Most major brokerage operators have on-staff experts who know enough to work with large businesses purchasing cyber insurance policies. Small companies buying via local agents or brokers, in contrast, may find those don't have the level of expertise they need.

Contact Cyber Security Intelligence for more Information
www.cybersecurityintelligence.com

 

« WikiLeaks Will Share CIA's Hacking Secrets
DeepMind Uses Blockchain To Track Health Data »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Canadian Centre for Cyber Security (CCCS)

Canadian Centre for Cyber Security (CCCS)

The Cyber Centre is the single unified source of expert advice, guidance, services and support on cyber security for government, critical infrastructure, the private sector and the public.

Optimum Insurance

Optimum Insurance

Optimum's Cyber Risk & Data Protection Insurance policies are designed to protect against cyber exposures that arise when a company’s data and customer information is breached or stolen.

General Dynamics Information Technology (GDIT)

General Dynamics Information Technology (GDIT)

General Dynamics IT delivers cyber security services to defend critical information and infrastructure.

Hague Security Delta (HSD)

Hague Security Delta (HSD)

The Hague Security Delta Campus is home of the leading cyber security cluster in Europe with an Innovation Centre, labs and training facilities.

ABL Cyber Academy

ABL Cyber Academy

ABL provide certified training courses in the field of cyber security and IT project management.

NTIC Cyber Center

NTIC Cyber Center

NTIC Cyber Center is an organization dedicated to making the National Capital Region (Washington DC) more resilient to cyber-attacks.

RUSCADASEC

RUSCADASEC

RUSCADASEC is an independent non-profit initiative on developing the open Russian-speaking international community of industrial cyber security/ICS/SCADA cyber security professionals.

iZOOlogic

iZOOlogic

iZOOlogic protects hundreds of the world’s leading brands, across banking, finance and government from cybercrime. We provide strong cyber defence solutions to protect client digital assets.

eSec Forte Technologies

eSec Forte Technologies

eSec Forte Technologies is a CMMI Level-3 ISO 9001-2008, 27001-2013 certified global consulting and implementation company focused on Information Security and Cyber Security.

SecureDrives

SecureDrives

Passwordless Authentication & Encrypted Data Storage Solutions from SecureDrives. We are enabling organisations to work safely and securely, using technology driven solutions.

Cyber Management Alliance

Cyber Management Alliance

Cyber Management Alliance is closing the divide in cyberspace by bringing together the best qualities of thought leadership and operational mastery of cyber security management.

Bastion Technologies

Bastion Technologies

All your cyber defense. One platform. Keep your business assets and employees safe under one roof. Manage your cyber defense quickly, easily & efficiently.

Firesand

Firesand

Based in Milton Keynes, Firesand Ltd provides penetration testing services to improve your cyber security and protect your company against hackers.

Axient

Axient

Axient advances defense and civilian missions from aerospace to cyberspace with multi-domain test and analysis, mission engineering and operations, and advanced technologies.

Wired Assurance

Wired Assurance

Wired Assurance is a testing and assurance company, specialized in software applications and blockchain smart contracts.

Proton

Proton

Proton provides free encrypted email, calendar, drive, password manager, and VPN services. Building a better Internet.