Are You Sure You Qualify For Cybersecurity Insurance?
Have you been researching cybersecurity insurance, but aren’t sure if you qualify? Before you can secure coverage from a carrier, you need to do your due diligence and enhance your cybersecurity.
Cybersecurity insurance is protection designed specifically to help cover the potentially massive expenses associated with an unavoidable data breach. It can be a worthwhile investment, so long as you know how it works.
Mathe can deliver the cybersecurity support needed to ensure that you qualify for a robust cybersecurity policy, and help you meet the standards set out in the claim process as well.
Get in touch with the Mathe team to discover how our cybersecurity suite will manage your insurance policy compliance.
The Small Business Cybersecurity Dilemma
For small businesses, the cybersecurity climate is especially dire. According to a study conducted jointly between Cisco and the National Center for the Middle Market, over 50% of small businesses have no cybersecurity strategy or plan in place and for those that do, most have not reviewed the plan in over a year.
A cybersecurity strategy and plan, once created and adopted, must be reviewed at least annually to ensure that current threats are being included.
Cybersecurity is not a one-and-done solution; the threat landscape evolves at a rapid pace and frequent reviews ensure that the plan will help reduce an organization’s cyber risk profile. That’s why you need to be aware of the greatest threats to your business and plan against them.
Cybersecurity Insurance Won’t Protect Your Business If Your Cybersecurity Standards Aren’t Up To Par
The somewhat inevitable nature of modern cybercrime has led businesses to consider cybersecurity insurance as a final layer of reassuring protection.
In fact, it’s becoming more and more necessary, as many insurance providers have begun drawing a clear line between normally covered losses, and those incurred by cybercrime-related events.
That means that if your cybersecurity doesn’t meet the standards of your insurance provider, you may not be as well covered as you think.
35 Questions Your Cybersecurity Insurance Carrier Is Going To Ask…
- Does your business have a policy against opening unverified email attachments?
- Does your business keep malicious and spam emails out of staff inboxes?
- Does your business double-check email attachments before they are delivered?
- Does your business have an email threat protection solution in place?
- Does your business have an endpoint protection solution in place?
- Does your business use an Endpoint Detection & Response (EDR) solution?
- Does your business use multi-factor authentication (MFA) or Two-Factor Authentication (2FA) on all user accounts?
- Does your business test cybersecurity standards with regular vulnerability scans?
- Does your business prohibit incoming connections using hardware and software firewalls?
- How many users have local administrator rights enabled?
- Do you have a content filtering solution?
- Does your business monitor traffic into and out of the network?
- Do your staff members have access to a password manager?
- Are admin accounts tracked and monitored to limit and log access?
- Do you have recent and tested backups of all mission-critical data, applications, and configurations?
- Do you have encryption for backups (both at rest and in transit)?
- Do you store backups on and offsite?
- Are your offsite backups protected by an air-gap and separate authentication mechanism?
- Does your business use a cloud syncing service? (e.g. OneDrive, DropBox, SharePoint, Google Drive)
- Is your cloud data backed up?
- Can staff members access business email on their personal devices?
- Can staff members send or receive PII, ePHI, or PCI data through business email?
- Do you have an email encryption solution in place?
- Is your staff regularly tested and trained on phishing and other social engineering attack vectors?
- Do you have a log aggregation solution in place?
- Do you have a Security Incident and Event Management (SIEM) system in place?
- Do you have an update and patch management system in place?
- Does your business monitor its network 24/7?
- Do you work with a third-party IT company?
- Do you rely on a third-party Security Operations Center (SOC)?
- Is all data encrypted (at rest and in transit)?
- Does your business have a documented policy for addressing unsafe conduct by employees?
- Is your business compliant with applicable regulations and standard systems?
- Do you have a policy in place for limiting resigning or terminated employees’ access to business data?
- Do you have a Mobile Device Management policy in place to limit risks posed to business data by your employees’ personal devices?
As you can see, there’s a lot involved in qualifying for cybersecurity insurance. Without a comprehensive cybersecurity strategy in place, and the proper engagement from your team, you may not qualify.
How To Get Cybersecurity Insurance
In order to determine what type of cybersecurity insurance you may need, it’s important to start by taking stock of your business and the potential threats posed to it:
- Evaluate your system infrastructure: The best way for you and your team to determine the kind of coverage that is best for your business is to understand your IT infrastructure. By evaluating your systems from top-to-bottom, you’ll have a clear idea of all the different access points that could be leaving your network vulnerable to threats.
- Improve your security to reduce rate: Don’t forget to look into how investing in your cybersecurity could save you money on premiums. Open up a dialogue about it with your potential Cybersecurity Insurance provider and see what they suggest.
- Identify your risks: Next, it’s best practice to conduct a risk assessment and an impact analysis. Carefully review all your business’ assets—including financial data, customer information, and intellectual property. Categorize assets according to their risk and make considerations for the potential impacts that a data security event could have on all aspects of your business.
Will Cybersecurity Insurance Completely Protect Your Business Against Cybercrime?
A common misconception is that a cybersecurity insurance policy is a catch-all safety net, but that’s simply not the reality. Without a comprehensive cybersecurity strategy in place, a business may not qualify for a policy in the first place.
Furthermore, in the event of a hack, a business may not qualify for full coverage if their cybersecurity standards have lapsed, or if they can be found to be responsible for the incident (whether due to negligence or otherwise).
The core issue is that as cybercrime becomes more common and more damaging, insurers will become more aggressive in finding ways to deny coverage. It’s in the interest of their business to pay out as little as rarely as possible, which means the policies will tend to rely on a series of complicated clauses and requirements that covered parties have to comply with.
A key example of this is when Mondelez International was denied coverage for the $100 million of damage they incurred from the NotPetya attack. Their insurer, Zurich Insurance, cited the obscure “war exclusion” clause, claiming that Mondelez was a victim of a cyberwar.
This is not an isolated incident. As discovered by Mactavish, the cybersecurity insurance market is plagued with issues concerning actual coverage for cybercrime events:
- Coverage is limited to attacks and fails to address human error
- Claims are limited to losses that result directly from network interruption, and not the entire period of business disruption
- Claims related to third-party contractors and outsourced service providers are almost always denied
All this goes to show why business owners need to look carefully at the fine print of their cybersecurity insurance policy and ensure their cybersecurity standards are up to par. No one should assume they’re covered in the event of a cybercrime attack—after all, for every $1 million paid in premiums, insurance companies only pay out $320,000 in claims.
We Will Help You Secure Your Biggest Vulnerability (Your Staff)
Some of the most effective cybercrime tactics in use today focus on the user as the weak link in a business’ cybersecurity posture.
Phishing scams send fraudulent emails and trick recipients into downloading dangerous malware or divulging sensitive information. Fake websites infect the systems of those that visit them, or steal their personal data.
It’s because of threats like these that you need to invest in your staff’s cybersecurity awareness—Mathe will help.
We offer a comprehensive employee Cyber Awareness Training program developed by Cyber Guard 360 that combines regular online training, simulated phishing attacks, and dark web monitoring. The three components of this curriculum include:
- Phishing Training and Testing: Ensure your users know how to identify a dangerous email.
- Security Awareness Training: Give your users the knowledge they need to contribute to organization-wide cybersecurity.
- Policies and Procedures: Implement and roll out proven best practices for maintaining robust cybersecurity across your staff.
With our help, your staff will contribute to your cybersecurity, not compromise it. Furthermore, in the event that an unaware staff member does compromise your cybersecurity, you’ll have detailed, verifiable policies in place showing your effort to maintain security, which will help with your insurance claims.
Need Help Qualifying For Cybersecurity Insurance?
Meeting the stipulations laid out by cybersecurity insurance providers may not be easy depending on the state of your cybersecurity posture. Mathe can help you improve your approach to cybersecurity.
Our team provides cybersecurity and technology services for businesses like yours—we are available to help you develop a robust cybersecurity defense. We can ensure you qualify for a policy and minimize the chance that you’ll have to make a claim on your cybersecurity insurance.
Get in touch with our team to get started.
Thanks to Kelly and Sean at Orbis Solutions for their help with this information. Check them out at https://www.orbissolutionsinc.com/las-vegas-it-services/
With over 35 years in the business of supporting and implementing technology for the SME market, and 6 years previously in Corporate IT and Voice. I have seen a great deal of change. The only common thread is I have always focused on the Business Wise application of Technology. We always try to look 5 years ahead of the current technology to make sure our clients are on the right track to meet current and future needs.