Cyber incidents and ransomware attacks have gone from news blurbs stuffed in the middle of a news cycle to the leading headline on nearly a daily basis. “Quarter of Healthcare Ransomware Victims Forced to Halt Operations,” and “A New Restaurant in Logan Square Faces a Hacker Attack” are only a pair of headlines we have highlighted this past week on our newsfeeds. Unfortunately, these instances are only going to become more prevalent. Acuity insurance saw over 90% increase in cyber liability claims from 2020 to 2021. The risks associated with cybersecurity are fast becoming something that business owners must tackle head on. Cyber insurance is one of the ways a business owner can mitigate some of the risks associated with cyber incidents. But what is cyber insurance? What does cyber insurance cover? Is cyber insurance the solution to all of your business’ cybersecurity woes?
Nationwide Mutual Insurance Company defines the role of cyber insurance as “generally cover(ing) your business' liability for a data breach involving sensitive customer information, such as Social Security numbers, credit card numbers, account numbers, driver's license numbers and health records.” This is a good overall description of what cyber insurance can do for your business. Unfortunately, this is also a fairly watered-down definition that can lead some business owners to have a false sense of security in believing that they are covered in case of a cyber incident. The reality of the situation is this. While cyber insurance can cover the costs associated with a cyber incident that leads to a data breach, cyber insurance cannot quantify or reimburse the cost of loss of customer confidence in your brand. Furthermore, as G Mark Hardy of the CISO Tradecraft podcast series often states, cyber insurance provides for the orderly demise of a business. Cyber insurance allows a business owner to pay out his debtors and any potential litigation (within the cost of the insurance coverage limits) but does nothing to preserve or recover your company’s reputation.
Let’s take a step back from the cyber insurance definition and look at cyber insurance as a means of mitigating risk. Risk has many meanings. But for our purposes, we will use the National Institute of Standards and Technology’s (NIST) definition of risk (they have several by the way check here for all of them): the level of potential impact on an organization’s operations (including mission, functions, image, or reputation), organization assets, or individuals of a threat or a given likelihood of that threat occurring. In business, as in life, there are only really four things we can do about risks we may encounter; avoid, reduce, transfer, and accept.
Let me provide the following analogy. If I go on a hike and come across a river that I need to cross to get to my destination, I must determine the risks associated with crossing that river. I am unable to determine the depth or strength of the current in the river. Furthermore, if I were to enter the river wearing my hiking gear I would get soaked and this could have dire consequences to my health and wellbeing later. Finally, I have to figure out just how important finishing this hike is for me. Taking all these things into account, I have the following four possibilities. (1) I can take an alternate path that circumvents the river while still getting to my destination (risk avoidance). (2) I can find the narrowest part of the river and use a hiking stick to determine the shallowest/safest path across the river to get to my desired destination with minimal waterlogging (risk reduction). (3) I can enlist a river ferryman (they still exist right?) to use his knowledge of the terrain and transfer me safely across the river on his barge (risk transference). (4) Finally, I can just say “to heck with it all” and plunge head long into the river and plow across to get to my destination (risk acceptance). So how does my anaology translate to business owners and cybersecurity?
If we look at cyber incidents and the potential harm they can bring to your business, we need to determine the risks involved and how best to mitigate them. We must look at what the business exposure to cyber incidents is and how severe of an impact said incident would have. Once we determine the risk your business has, we can make an informed decision on how to move forward. We can avoid cyber incidents altogether by keeping all business transactions limited to pen and paper. While this is quaint and brings back fond (or not so fond) memories of simpler times, this is unrealistic for the vast majority of businesses. Even if most of your transactions can be managed with pen and paper, somewhere along your supply chain there is a cyber component that you will need to account for. Alternatively, we can take this risk analysis and determine the best ways to reduce the impact of a cyber incident on your business.
Simple things like maintaining proper cyber hygiene (make sure you know what computers and programs are in your environment, implement automated updates, ensure cybersecurity awareness training across your entire workforce) can have huge impacts on reducing your risk of a cyber incident.
Transferring risk is where we come back to cyber insurance. Cyber insurance is a manner of transferring the cost of risk mitigation to a third party, namely your insurance carrier. However, as I stated earlier, cyber insurance is not a completely whole transference of risk. Your company will still deal with the consequences of a cybersecurity incident above and beyond the costs that are covered by cyber insurance. Furthermore, your insurance carrier will not insure you without meeting certain criteria. Namely, your business has done its due diligence and due care in protecting its data from cyber incidents. Just as an insurance company will not cover a grossly negligent company from liability, they will not cover a cyber incident if they can prove negligence in handling of data. Additionally, due to the rising rate of cyber incidents and increased costs associated with them, insurance companies are raising premiums and limiting coverage. CNBC reports a 28% increase in cyber insurance premiums from fourth quarter 2021 to first quarter 2022. So cyber insurance alone will not be an acceptable risk mitigation step for your business. Finally, risk acceptance is a viable choice for certain aspects of your business and cybersecurity but should not be the answer for your overall cybersecurity needs.
If you’ve gotten this far in this article, I commend you. If you just scrolled down to this point to get the “too long didn’t read” (TLDR) answer to the opening question, here it is. Yes, your company should have a cyber insurance policy. But more importantly, your company should also have a cybersecurity program in place to ensure that the cyber insurance policy is honored and utilized to its fullest extent if necessary. A proper cybersecurity program can help your company navigate the perilous journey of a cyber incident so that you can come out stronger and more trusted than before. Clients can tell the difference between a company that is prepared and one that scurries from one disaster to the next trying to keep afloat. Be sure that your company is ready to face these challenges.
Quantum Vigilance is prepared to help you survive and thrive in the face of cyber incidents. Let us work with you to create a Risk Analysis and Gap Evaluation Report (RAnGER) to guide your cybersecurity journey. We will work with you on your cybersecurity journey and provide your organization the cybersecurity guidance you will understand.