Cybersecurity Insurance
June 18, 2021 at 1:00 PM
Businessman opening a paper

Managing cybersecurity investments and cybersecurity strategy requires effective risk analysis. In turn, a consideration in effective risk analysis is transference of risk. One way to transfer risk is through insurance policies – a key option to consider as part of your risk analysis. It’s Just Results recommends that every business carry cybersecurity insurance as part of your cybersecurity investments.

Cybersecurity insurance, just like other areas of cybersecurity, is rapidly changing. Attacks are increasing in tandem with options to protect and defend the business. This fast-paced and dangerous environment requires that companies pay attention and take action.

In March 2021, hackers attacked CNA Financial, one of the 15 largest property/casualty insurance firms in the US. CNA paid hackers $40 million to remove ransomware (files were reportedly inaccessible by corporate staff) from its corporate systems.

CNA Financial’s story is just one of many, and each serves to set a precedent, inspiring more hackers and creating a response ripple effect in the industry. At-risk government organizations and companies have implemented a broad range of responses from coordinated measures to siloed initiatives.

In February 2021, the New York Department of Financial Services (DFS) published a Cyber Insurance Risk Framework of best practices for the insurance industry. The framework has 7 elements:

1. Establish a formal cyber insurance risk strategy – This is the leading requirement incorporating elements 2 through 7 below. It requires establishing direction and approval by senior management and the board of directors (or other governing body if there is no board).

2. Manage and eliminate exposure to silent cyber insurance risk – Silent cyber risk is risk an insurer must cover from cyber incident losses, even if a policy does not explicitly mention cyber. This can create unexpected losses. The requirement is for insurers to review their policies and explicitly address this risk.

3. Evaluate systemic risk – This requires evaluating systemic risk, such as a reliance on third parties who might, for example, provide cloud services to many of the insurance companies clients. This could be a situation in which a catastrophic event affects many insurance company clients all at once.

4. Rigorously measure insured risk – This is performed through surveys of cybersecurity-insured clients to understand what they are doing and identifying gaps to be closed.

5. Educate insured companies and insurance producers – The NYDFS suggests incentivizing companies to maintain stronger cybersecurity protections. This can range from providing guidance, discounted access to cybersecurity services, cybersecurity assessments, and recommendations for improvement.

6. Obtain cybersecurity expertise – NYDFS recommends recruiting staff with cybersecurity expertise and partnering with companies offering cybersecurity expertise.

7. Require notice to law enforcement – NYDFS recommends requiring that clients notify law enforcement to prosecute current attackers and deter future cybercrimes.

Without taking the above-mentioned actions, companies in the cyber insurance and reinsurance market face excessive risks and potential liquidity issues. In this scenario, concentrated attacks could create a situation in which such companies might be unable to pay what they committed to your firm through your coverage policy.

We recommend that in your search for cyber insurance, your company examine how the prospective insurance company is addressing these best practices, if they are asking you about/factoring in the above requirements in your policies, and how they support cyber insurance. This crucial check further minimizes your firm’s exposure to risk.

Another market shift is that cybersecurity vendors are offering cyber insurance through partnerships with insurance brokers or insurance companies.

For example, BlackPoint Cyber, one of our vendors/partners, offers this type of partnership. BlackPoint Cyber provides Managed Detection and Response services to client endpoints, network, and cloud services as well as a 24-hour Security Operations Center (SOC). Their insurance program, BlackPoint Risk, is offered with their service to their trusted MSP partners and the MSP’s customers.

Your insurance can evolve to fit a variety of parameters, but it should align to your cybersecurity and risk management strategy.

At a minimum, your process should include:

Step 1: Risk Analysis

Review your current coverage as part of your risk analysis. Consider the types of threats you will encounter including data breaches, malware attacks, phishing attacks, and ransomware. Also consider the cost of investigations, business losses/continuity, privacy and notification expenses, as well as lawsuits/extortion. Determine if the coverage aligns with the risk/risk priorities you have established through your analysis.

Step 2: Implementation Plan

Implement the gap-closure activities you identified as part of the risk analysis. For example, you may have determined that it would be best to transfer more risk through insurance policies and increased/specific coverage.

Step 3: Notification/Communications

Should an incident occur, you should have a well-developed incident response plan and playbook ready to deploy. If you have identified this as a gap in your company’s knowledgebase and cyber-readiness, It’s Just Results’ Incident Response Design Workshop will guide you through the process of developing, implementing, and testing your own incident response playbook.

It’s Just Results works with Preferred Insurance, an insurance broker that offers a variety of policies through multiple firms tailored to your industry, circumstance, risk tolerance, and risk transfer strategy.

Understanding the cybersecurity insurance landscape is an important part of your cybersecurity strategy. Assessing how it affects you and what you need to do should be one of your organization’s top priorities. Schedule a consultation now! Too late often comes too soon.