5 Questions to Ask Before Buying a Cyber Insurance Policy

As a business owner, you understand the importance of insurance. It's one more way to keep your employees, infrastructure, intellectual property, and investments safe. And as data breaches have become an unfortunate, near-constant fixture in the news, there has been an uptick in preventative strategies including Cyber Liability Insurance Coverage (CLIC). Marketed as a kind of cure-all, cyber insurance is still an incredibly nuanced fortification, with approval hinging upon lengthy digital assessment. Furthermore, and this can't be emphasized enough, a cyber insurance policy is only as effective as your IT infrastructure. So, before you begin implementing a cyber insurance policy, make sure your company is asking the right questions. 

Learn How to Pick the Right Cyber Insurance Policy for Your Business:

What Does Cyber Insurance Cover?

Cyber insurance isn't, strictly speaking, a new concept. These policies grew out of Errors and Omissions (E&O) insurance, around 2005. However, they have exploded in the last couple of years as Covid-19 prompted the mass migration to remote work, and cybercrime followed. Ransomware has been booming, as criminals target businesses across industries, and more companies are looking to cyber insurance to help contain costs. The market is expected to reach a value of $29 billion by 2025. So what exactly does cyber insurance do? This coverage is meant to offset the expenses incurred during a data breach or cybersecurity event, including:

• Recovering compromised data

• Legal settlements and regulatory fines

• Hiring experts to identify and repair damage

• Notifying customers, and providing identity and credit monitoring

• Business interruption, network downtime, and lost employee productivity 

These policies should provide coverage for both first and third-party claimants. First-party coverage includes losses to the organization or individual affected, while third-party coverage addresses legal action taken by customers or partners. These policies can vary in terms of coverage and premiums but typically account for organization type, service provided, data risk and exposure, and current security policy. 

Essential Questions to Ask a Cyber Insurance Provider

In a Statista Report from early 2021, only 41% of businesses in the United States and Europe currently have a cyber insurance policy, despite increased risk. If your business is in the early stages of adopting a cyber insurance policy, make sure you ask potential cyber insurance providers the following:

1. Creating Your Policy

   • Is their cyber insurance coverage created in a new plan? Or, is it an extension of an existing policy? Many cyber insurance providers will provide customizable policies, that allow for the most cost-efficient option.

2. Understanding Coverage

   • Does coverage include both first and third parties, as well as third-party service providers? Third-party vendors can provide an unfortunate alleyway into sensitive company data, so ensure they are included in your cyber insurance policy.

3. Employee Liability

   • Will coverage still apply if the event was caused by non-malicious employee activity? Or social engineering attacks including spear-phishing and advanced persistent threats (APT)?

4. Threat Timelines

   • Given that some of these threats take time to discover, will the cyber insurance policy include time frames during which coverage is in effect? Or will there be limits?

5. Scope of Policy

   • Does the policy only apply to targeted attacks, or does it cover any security event to which an organization is subjected?
     
     

Cyber Insurance Policy Requirements

Most cyber insurance providers require a thorough cybersecurity assessment before approving applications. This ensures that businesses are implementing proactive steps to reduce their vulnerability before cyber insurance is part of the strategy. Ultimately, there is little sense in insuring a company that is unwilling to engage in routine cyber hygiene via threat assessments, continued employee education, and an independent audit of third-party vendor security. Here are common security controls insurance providers may request:

1. Application Whitelisting - a security solution that allows organizations to specify what software is allowed to run on their systems, in order to prevent any non-whitelisted processes or applications from running.
   
   
2. Asset Inventory - a list of all IT hardware and devices an entity owns, operates, or manages. Such lists are typically used to assess the data being held and security measures in place on all devices.
   
   
3. Custom Threat Intelligence - the collection and analysis of data from open source intelligence (OSINT) and dark web sources to provide organizations with intelligence on cyberthreats and cyberthreat actors pertinent to them.
   
   
4. Database Encryption - where sensitive data is encrypted while it is stored in databases. If implemented correctly, this can stop malicious actors from being able to read sensitive data if they gain access to a database.
   
   
5. Data Loss Prevention - software that can identify if sensitive data is being exfiltrated from a network or computer system.
   
   
6. DDoS Mitigation - hardware or cloud based solutions used to filter out malicious traffic associated with a DDoS attack, while allowing legitimate users to continue to access an entity's website or web-based services.
   
   
7. DMARC - an internet protocol used to combat email spoofing - a technique used by hackers in phishing campaigns.
   
   
8. DNS Filtering - a specific technique to block access to known bad IP addresses by users on your network.
   
   
9. Email Filtering - software used to scan an organization's inbound and outbound email messages and place them into different categories, with the aim of filtering out spam and other malicious content.
   
   
10. Employee Awareness Training - training programs designed to increase employees' security awareness. For example, programs can focus on how to identify potential phishing campaigns.
    
    
11. Endpoint Protection - software installed on individual computers (endpoints) that uses behavioral and signature-based analysis to identify and stop malware protection.
    
    
12. Incident Response Plan - action plans for dealing with cyber incidents to help guide an organization's decision-making process and return it to a normal operating state as quickly as possible.
    
    
13. Intrusion Detection System - a security solution that monitors activity on computer systems or networks and generates alerts when signs of compromise by malicious actors are detected.
    
    
14. Mobile Device Encryption - when encryption is enabled, a device's hard drive will be encrypted while the device is locked, with the user's passcode or password acting as the special key.
    
    
15. Multi-Factor Authentication - where a user authenticates themselves through two different means when remotely logging into a computer system or web based system. Typically a password and a passcode generated by a physical token device or software are used as the two factors.
    
    
16. Network Monitoring - a system, utilizing software, hardware or a combination of the two, that constantly monitors an organization's network for performance and security issues.
    
    
17. Penetration Tests - authorized simulated attacks against an organization to test its cybersecurity defenses. May also be referred to as ethical hacking or red team exercises.
    
    
18. Perimeter Firewalls - hardware solutions used to control and monitor network traffic between two points according to predefined parameters.
    
    
19. Security Info & Event Management - system used to aggregate, correlate, and analyze network security information - including messages, logs, and alerts - generated by different security solutions across a network.
    
20. Vulnerability Scans - automated tests designed to probe computer systems or networks for the presence of known vulnerabilities that would allow malicious actors to gain access to a system.
    
    
21. Web Application Firewall - protects web facing servers and the applications they run from intrusion or malicious use by inspecting and blocking harmful requests and malicious internet traffic.
    
    
22. Web Content Filtering - the filtering of certain web pages or services that are deemed to pose a potential security threat to an organization.
    
    

Fortunately, iCorps' technicians are experts in identifying, diagnosing, and remediating IT threats. For more information on how a security assessment can better prepare your business for cyber insurance, contact us here.