As cybersecurity insurance coverage becomes common, buyer beware
Cybersecurity insurance coverage can certainly have its benefits after a breach, but companies must consider a variety of unique business factors before choosing a policy.
Cybersecurity insurance is increasingly being added as part of modern organizations' cybersecurity strategy. The two sides in the cybersecurity insurance market share a common goal: Stopping cybersecurity attacks. This creates a mutually symbiotic relationship as both insured and insurer have equal skin in the game -- the insurance carrier doesn't want to pay out due to a breach, and the insured doesn't want to experience one.
The cybersecurity insurance industry informs customers about ways to reduce cyber-risk and provides incentives to take proactive preventative measures. Cybersecurity insurance standards can effectively reshape and improve an organization's cybersecurity posture due to the cyberinsurance industry's unique experience and access to information that can help play a crucial role in preventing cybersecurity attacks.
Besides contributing to the creation of a security and compliance framework for your organization's cybersecurity, this type of insurance has several potential advantages. A data breach can destroy an organization's reputation and make it susceptible to incredibly expensive fines. A solid cybersecurity insurance policy can help an organization deal with the unexpected disasters that emanate from cyberspace on a regular basis. Cybersecurity insurance coverage can also assist with paying data breach expenses that come with notification processes, follow-up forensics investigations, legal fees, notification letters, credit monitoring, reputation restoration services, regulatory fines and legal payouts.
Conversely, there can drawbacks to investing time and money on cybersecurity insurance. For one, investing in cybersecurity insurance can create a false sense of security, similar to how relying on compliance standards can create a false sense of cybersecurity awareness, where individuals succumb to what is known as the Peltzman effect. Cybersecurity insurance can create a lackadaisical attitude among employees toward cybersecurity awareness and promote a risky approach to following cybersecurity standards because they are aware of insurance protections in place if an attack does occur.
Rapidly emerging technology, regulations, laws and unprecedented cybersecurity risks make policies obsolete quickly.
The cybersecurity insurance field also has not yet adequately developed a universal way to cope with cybersecurity attacks and data breaches. There are still significant limits on what is typically covered, as cybersecurity insurance policies can vary greatly. Additionally, the cybersecurity insurance company only picks its preferred information security vendors to use if a cybersecurity attack or data breach occurs. In other words, the cybersecurity insurance company may only let you use the third-party organizations of its choosing when it comes time for post-breach digital forensics and legal advice.
Choosing cybersecurity insurance coverage
When choosing cybersecurity insurance, there are some best practices, along with some pitfalls, companies should consider.
Verify that the cybersecurity insurance provider's assessment process aligns with your organization's network security policies and security controls.
Fully understand the exclusions of the cybersecurity insurance provider's policy. It is critically important to understand what is not included in the cybersecurity insurance policy and, more importantly, understand what criteria would be excluded from coverage. For example, unencrypted data lost during a data breach is often excluded from cybersecurity insurance coverage.
Encryption key management, or managing the encryption keys that are used to encrypt and decrypt data, is an important aspect of coverage that must be discussed among security, legal and insurance teams. An insurance underwriting survey is most likely not going to cover this aspect of data security.
Cybersecurity insurance policies are constantly evolving due to the relative newness of the industry. Rapidly emerging technology, regulations, laws and unprecedented cybersecurity risks make policies obsolete quickly. It's important to make sure policies are kept up to date on current cybersecurity insurance compliance standards.
Make sure that the cybersecurity insurance policy is 100% understandable in that the cybersecurity insurance policy broker can effectively explain every aspect of it in nontechnical terms. For instance, it's important to understand how the cybersecurity insurance policy covers data stored in the cloud environment, as well as data accessed by third-party entities.
Verify whether the cybersecurity insurance firm has a history of not paying out. An inquiry should be made with the insurance broker as to what the details of the payout process are and how disputes are handled.
Cybersecurity insurance policies require that the organization requesting coverage accurately present an infosec program in order to receive full coverage. It is important that questions be answered accurately because, if an inaccuracy ends up the focal point for a data breach or loss, it could be interpreted as a misrepresentation in the application process and thereby exclude your organization from coverage.
In the event of a cyber incident, the cybersecurity insurance firm will provide a list of approved attorneys, digital forensics companies and even public relations firms, along with preapproved rates. It is important that, if an organization would like to use different incident management professionals than what is provided, they must be preapproved by the cybersecurity insurance provider prior to any incidents taking place.
Cybersecurity insurance is certainly a double-edged sword. Following standards outlined by a cybersecurity company can effectively help guide and improve an organization's cybersecurity framework by requiring secure configuration controls, an inventory of hardware and software, clear administrative privileges and application security. It can also be a costly and ineffective endeavor if it is not done correctly and time isn't taken to pick the best policy and provider for the organization.
Cybersecurity insurance underwriters understand the risks they face as insurers, so in that capacity, they can help inform an organization's security decisions. However, it's important to remember that cybersecurity insurers only require security controls that directly mitigate the risks that they would be financially responsible for. Misplaced reliance on cybersecurity insurance could lead to an unbalanced security framework, making it crucial for organizations to keep this in mind when deciding on coverage.
