You’ve had a cyber incident, but will your insurance company deny your claim?
When it comes to cyber incidents, it’s not a matter of if; it’s when.
Within cyber security circles, it has become widely accepted that there are two types of companies; those that have had a cyber incident and those that will. Some even take it a step further and say the two kinds of companies are those that know they have had an incident and those that don’t. So, with that in mind, what is a business supposed to do if the probability of an incident is so high?
*Cue the triumphant music*
Cyber insurance to the rescue!
Well, it’s not quite that simple. Cybersecurity (or cyber incident) insurance policies are becoming more challenging to obtain, and insurance companies are scrutinizing claims more closely than in years past and denying claims more frequently. At a minimum, insurers expect companies to build and maintain the basics of a cyber security program.
Can we really blame them, though? Let’s consider their business model for a minute. As a business or an individual, you understand that terrible things sometimes happen. Insurance companies know this as well, so insurance companies come in with a product that helps with financial recovery for cyber incidents, including data breaches and theft, system compromise, ransomware, and extortion payments. However, it only works if the businesses or individuals buying the product take reasonable precautions. For instance, a car insurance company wouldn’t be in business very long if all their policyholders constantly left their keys in the ignition and the windows rolled down, now would they? This is why insurers continue to raise the bar for basic cyber security programs.
So, you’ve already been the victim of a cyber incident, but are you about to be kicked while you’re down by having your cyber insurance claim denied? Have you done enough in the eyes of your insurance company to demonstrate that you were taking the necessary steps to protect your business before the incident? Maybe you haven’t had an incident and want to get a policy. You need to know what steps you need to take to demonstrate that you are putting in a reasonable effort to protect yourself and your business. Want help? Keep reading!
Common Causes of Application and Claim Denials
Your application for a cyber insurance policy or claim against your current cyber insurance may be denied because of:
- Lack of core cybersecurity controls
- Gaps in readiness to respond to a cyber incident
- Poor or inaccurate documentation of preventative measures
- Someone else is at fault (i.e., third-party vendors)
- Not enough cybersecurity awareness training is in place
Solutions and Ways to Avoid Denials
Specific frameworks have been developed to address these issues and are specifically
designed to help businesses become more cyber secure. And no, you don’t have to hire full-time cybersecurity staff to follow these frameworks. Here are some things you can do to start working toward improved cybersecurity for your business:
- Accurately document security controls. I can’t emphasize this point enough. Lack of documentation is a simple and straightforward reason for an insurance company to deny a claim or issuance of a policy. Things like a clearly defined password policy, who has access to what equipment and what information, a formalized onboarding process (and perhaps even more importantly, an offboarding process), any cybersecurity training that has been conducted, and any other steps have been implemented to address cybersecurity will all be scrutinized when applying for an insurance policy or making a claim. Additionally, don’t overstate the technical and procedural controls you have in place and your overall level of preparedness for a cyber incident.
- Build an inventory of the valuable information and technology you have. Know and document how many company computers, phones, tablets, etc., you have, what valuable information you have, and how sensitive it is through your asset inventory.
- Know who you’re working with. Ensure you document all third-party vendors you use and what areas of your business they have access to. Additionally, having language in your agreements with your third-party vendors that requires them to notify you of changes to their security program that impacts your business, as well as changes to their personnel that can access your system data, will not only help protect your data but will also address concerns that insurance companies may have regarding third-party risk.
- Develop a training and awareness program. Yes, you can outsource this! You can also develop a program internally. However you do it, make sure that the program aligns with the rest of your cybersecurity program. Are you using a security framework like NIST CSF? Ensure that the training you provide works with the controls in your framework.
What if You Already Have a Cyber Insurance Policy?
You’ve got to read that doggone thing! Reading the policy will explain what is and isn’t covered and your responsibilities as the policyholder. Are there a bunch of words in there that you don’t understand? Yeah, highly likely. You’re not alone. Your agent should be able to explain everything in your policy. If they can’t (won’t, or you don’t entirely trust them), you can seek out the services of a reputable cybersecurity professional to review the policy with you. They can help you understand what those acronyms and fancy terms mean and guide you in staying compliant with your policy. Remember, if you already have a cyber insurance policy and have shared your information security policies, procedures, and practices with your insurer, you need to continue to follow through on what you have documented. Business moves fast, people come and go, and environments change. A periodic review of your cyber insurance policy and the controls you have in place will help to keep you in compliance with your insurance policy, keeping you better protected from a cyber incident.
At Reveal Risk, we help companies develop, improve, and maintain good cybersecurity programs and processes that will enhance their security posture and reduce risk to the business. Having good cybersecurity fundamentals in place can simplify obtaining cyber insurance, reduce the likelihood of needing to file a claim, and improve the chances of a successful outcome with your claim, should disaster strike.
About the Author:
Jim Wailes is a Senior Cybersecurity and Risk Consultant at Reveal Risk. Jim has over 25 years of experience in military and law enforcement intelligence, investigations, and digital forensics. He uses his unique mix of experiences to provide actionable insight to companies wanting to level up their cybersecurity programs. Reach out to him at JimWailes@revealrisk.com to learn more about how Reveal Risk can help embed cybersecurity into your business with their people-and-processes-first approach.