Cyber Insurance: What Executives Need to Know Before Obtaining Coverage

By Amanda Surovec, Director of Security Engagement and Claims, Resilience Cyber Insurance Solutions, and Shawn Melito, Chief Revenue Officer, BreachQuest

Introduction

In the last six months, cyber attacks increased by 29 percent worldwide, as thousands of global organizations and insurers can attest to. This trend has been a driving factor for the growth of cyber insurance, which has come a long way in the last twenty plus years. However, even then, cyber experts were raising the alarm on attacks, calling attention to how easy it was for hackers to successfully breach a system and how little legislation there was to ensure breaches were handled appropriately.

Fast forward twenty years and these concerns have developed into full-fledged crises. Technology, the internet and growth of the software as a service (SaaS) industry have led to the majority of sensitive customer and company data being located online, and hackers have come to understand the incredible value of this data. Not only is this information essential to day-to-day operations but being breached can damage customer trust. With so much at stake, cyber insurance has become a top priority for many SaaS-based businesses, yet with the rise of cyber threats and a hardening of the insurance market, obtaining coverage is becoming more difficult.

Creating a Game Plan

On a global scale, cybercrime is expected to reach $10.5 trillion annually by 2025, up from $3 trillion in 2015. So, when is a company “ready” to purchase cyber insurance? We hear this question a lot in our line of work.

To start, any company that uses a computer system and the internet as part of conducting its business, or collects personally identifiable information (PII) of employees, clients, or third-parties, should be pursuing cyber insurance if they do not have it already. The specific type of coverage, and how much insurance a company should have, can vary greatly based on the size and industry of the organization. In order to determine what is best for your company, and to help you prepare to purchase cyber insurance, you should start with conducting a cyber risk assessment and request a technical consultation with security and insurance broker experts. This risk and technical assessment will help you determine any potential gaps or areas for improvement in your organizations’ cyber security program, and help you decide what kind and how much coverage to purchase.

Once you determine your organizations’ specific cyber insurance needs, your insurance broker will help you find the right cyber insurance carrier to best serve those needs. Some cyber insurance carriers, such as Resilience, provide additional risk management benefits during the procurement process and throughout the policy period to help organizations secure coverage and better improve their cyber risk posture.

Dress to Impress

With a hardening cyber market, securing cyber insurance can be challenging for even security-conscious organizations. That said, even before coverage is secured, brokers and insurers work with existing and potential clients to mitigate cyber risk. Once it has been determined that your business is ready for cyber insurance, executives can work with them to navigate what security actions need to be taken to ensure that the cost/risk benefit of the insurance plan will be balanced.

Those that want to secure coverage should be able to come to the table with a robust cyber security plan that details where their data is located and how they protect it. This might include analyzing and implementing tools like VPNs and Endpoint Detection and Response (EDR), reconfiguring system infrastructure, adding multi-factor authentication, segmenting data and networks to better control access to help mitigate doxxing attacks, and utilizing backup functionalities that are tightly air gapped.

Once set-up, organizations need to test these environments. If security tooling is in place, but done so or configured incorrectly, hackers can still breach the system through known vulnerabilities or brute force attacks. However, testing can mitigate this drastically, as well as help an organization determine if vulnerability management and patching should be done in-house or be outsourced. Security teams should also be trained on how to monitor and patch systems, privacy protection protocols and how to identify phishing attempts. If they are unable, then these functions must be outsourced.

Keeping Premiums Low Once Coverage is Secured

Once secured, cyber insurance premiums can be kept low on renewal by continuously improving upon pre-established security postures, a process that can greatly help prevent attacks, such as those from business email compromise or ransomware. Still, successful attacks happen and when they do, taking the proper steps to mitigate risk can help keep your premiums low.

If a breach occurs and company data is being held for ransom, companies need to implement strict policies that restrict anyone at the organization from reaching out to the threat actor. We have seen many cases where someone on either the security or leadership team contacted the hacker and divulged information that made the situation even harder to resolve. Examples include providing their names, company, whether they have a cyber insurance policy and the value of the data that was taken – giving more power to the hacker than intended. Keep in mind, hackers don’t always know who they have attacked and how valuable the data they found is. Instead, teams should contact an experienced recovery and remediation group, along with their cyber insurance company, to get assistance as quickly as possible. With this approach, experts can begin to rebuild company infrastructure even as negotiations play out. It might be counter-intuitive to get the bill running sooner, but at the end of the day, it is almost always the most cost-effective option. This act reduces the potential business interruption claim, gets a head start on recovery and identifies systems that could be re-built or upgraded vs. paid to unlock faster.

Having your counsel work with regulators when breached has also become more essential than ever. Most recently, in September 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) produced an updated advisory on the use of digital currencies in ransomware attacks and other financial crimes, discouraging companies from simply paying the ransom to regain operational control after a successful ransomware attack. While these advisories are aimed at the payment of ransoms to sanctioned entities, it also may address the ballooning of ransom demands and spiking cyber insurance costs over the past year.

In working with the client, their counsel, an IR firm and the insurer, the decision to pay a ransom is always determined on a case-by-case basis, and only after an expert analysis of the situation can be compiled and payment due diligence completed. While there are still times when a ransom is paid, more and more often, companies are alternatively using the resources provided by their insurer to remediate and rebuild.

Even with much of the cyber insurance landscape still in flux, opting into cyber insurance can provide a sense of security if a victim of a cyber attack. It can help companies recover after a data breach when thousands or even millions of dollars are accrued from business disruption, revenue loss, legal fees, forensic analysis and more. To best obtain cyber insurance, working directly with brokers and insurers that can provide advice for setting up security tooling and processes and protocols can be a huge boon for candidates. Even as coverage is secured, keeping premiums low can be addressed by maintaining and improving upon internal and external security practices, which can help mitigate risk further, making your systems protected from the majority of inevitable attacks. And, should a breach occur, calling your broker, insurance agent and associated firms at the first sign of a breach, such as remediation and recovery or those well-versed in OFAC regulations, will enable businesses to get back online faster, with more business value intact.

 About the Author

Amanda Surovec is the Director of Security Engagement and Claims for Resilience Cyber Insurance Solutions where she oversees client onboarding and the Resilience Ransomware War Game Table Top Exercises. Previously, Surovec served as a claims manager at Beazley and as a claims specialist at Sphere Risk Partners. Surovec attended Penn State University where she earned a BA in Human Development and Family Studies.

Shawn Melito serves as Chief Revenue Officer for BreachQuest. He is responsible for marketing and business development activities as they relate to the cyber insurance community, including breach coaches, cyber insurance companies and brokers. He brings over 20 years of management experience to his role. Previously, Shawn was a managing director for Kivu Consulting and a management consultant, information systems analyst, and business unit leader for NPC’s Immersion Data Breach Response Service group, a leading notification and call center service provider to the cyber insurance community. He is a certified information privacy professional (CIPP/US) through the International Association of Privacy Professionals (IAPP) and a previous member of their Canadian Advisory Board. He has chaired and spoken at many cyber insurance industry conferences. Shawn has a B.A. from the University of Toronto and an M.B.A. from the Richard Ivey School of Business in London, Ontario.