8 Cyber Insurance questions business leaders need to be asking providers in 2022
The COVID-19 outbreak sparked an acceleration of phishing, business email compromise and Ransomware attacks. Remote work brought new risks, especially for companies that needed to quickly make their infrastructures more robust to stay in business. CISOs and CIOs confirmed a surge in attacks in the March-May period in 2020 and threat activity is still elevated. Cybercrime was expected to cost $6 trillion in damages globally in 2021 and $10.5 trillion annually by 2025.
Your business’ ability to recover from a disruption within established limits for time and costs may depend on having adequate, reliable cyber insurance to decrease your costs and time-to-recovery after a cyber attack.
The rapid onset of digital and social disruption as a result of COVID-19 has meant some aspects of pre-pandemic cyber insurance policies have been invalidated, or the extent of their coverage reduced.
This could have a catastrophic impact on your business if you fall victim to cyber crime, so it’s critical you check in with your IT or Insurance Service Provider to ensure your coverage remains robust.
We’ve put together the following questions as a starting point for that conversation with your provider.
Do we have a cyber insurance policy and is it providing the right level of coverage?
This question may seem obvious but it is critical, and a sensible place to start.
So often in business, intra-company communication may lead to challenges. Ensuring your IT Provider or in-house professionals have good lines of communication with the board on this subject, and that the policy and claims process is clear to everyone is key to protecting your business.
Frequently, there’s an assumption that an existing property damage or business continuity policy will cover an incident even if the policy is “silent” on cybersecurity issues. If, unbeknownst to you, cyber intrusions are not covered, you could end up footing the entire bill for a breach or attack — or engaging in a costly court battle for payment.
And how much insurance does your organisation need? To help determine the right answer, you need to quantify your cybersecurity risk. More mature organisations such as financial institutions have already done this. And companies in other less-regulated industries tend to be under-insured for cybersecurity liability. Quantifying risk now can prevent problems and potentially catastrophic losses for small and midsize businesses later on.
2. What does our policy cover?
What are the exclusions on your policy? Don’t wait until your systems are held hostage, only to discover that your cyber insurance policy excludes ransomware payments, for example.
And what about the cost of breach notifications? If you’ve had significant customer data stolen for example, the cost of notifying those customers could become problematic.
Does your policy cover public relations and communications? The right messaging can be critical in preventing reputational loss and restoring goodwill with stakeholders.
If you’re hit by ransomware, will your policy pay the costs of negotiating with the attacker and paying the ransom? Does your policy cover extreme business interruption, including losses from cancellations of flights or missed shipments or delayed production? Some, but not all, will include data breach coverage, business interruption cost reimbursement, cyber extortion defence, forensic support and legal support.
And what if your organisation incurs fines for violating the European Union’s General Data Protection Regulation (GDPR) or some other cybersecurity or privacy regulation? How much, if anything, will your insurance company pay?
3. Is your policy tailored to risks associated with your specific industry?
Dependent on the industry, there are different rules that may apply as some businesses have very specific data compliance regulations.
As a business, it’s no use going for the most affordable or cheapest option if the provider doesn’t have enough knowledge or experience to cater to your specific requirements. Make sure that your prospective insurance provider understands the specific data handling needs of your business.
4. Is there anything that’s excluded from the policy?
Sometimes, there is fine print that will need careful attention. Missing certain details might just land your business in difficulty. So, make sure that you check if there are any incidents that cyber liability insurance won’t cover.
For example, some insurance providers do not cover business practices that pose an avoidable risk. This could include your business’s bring-your-own-device (BYOD) policy. If a breach occurs due to an unencrypted employee device, insurance might not cover it.
5. Has there been any change in audit or compliance obligations?
There will most likely be a need for regular compliance reviews. These help to keep policies current and relevant.
You will need to check the specifications of what your prospective vendor will require and how much these audits will cost. Also, see if you can request an independent auditor for this as it’s the best way to ensure transparency.
6. What is the response time once a breach occurs?
If you identify a breach you will need to act fast. Similarly, your insurance provider needs to respond as quickly as possible as well. Make sure you ask each insurance provider about their minimum downtime period. If it’s longer than 24 hours, it may be better to consider a different provider.
7. Can your coverage be modified due to the rapidly changing nature of cyber attacks?
Technology changes at such a rapid pace, hence the need for this blog post. Agility and adaptability are key in ensuring that when new risks pop up, your provider is able to adjust and adapt. It might be the case that you review your policies in line with changes driven by the pandemic, only to find your policy was flexible in the first place, but it’s best to find that out now.
It will be a hard hit to your business if you find yourself in the middle of a breach and discover your provider doesn’t cover a specific incident because it wasn’t accounted for at the time the policy was drawn up.
8. Is the policy flexible enough to adapt as your business grows?
Your cybersecurity liability policy should be flexible enough to adapt to different types of malicious attacks. It should also let your organisation adapt and change as your business and technology needs grow without having to augment your policy.
At the same time, your IT team or provider, alongside your board should actively review your cyber policy every time it’s up for renewal. If you don’t feel equipped to determine whether your policy is sufficient, get help — either from an in-house team, outside legal counsel or an experienced and qualified consultant.
If you have further questions on this subject, don’t hesitate to contact us at hello@fact3.co.uk.