Proactive Cyber Insurance: A Piping Hot Take

CCIS student, Mercy Komar, provides a commentary on the preventative approach to cyber risk adopted by many carriers today.

The term, proactive cyber insurance, has skyrocketed in use over the past year, thanks, in part to Coalition’s launch of its Active Cyber Insurance Product. But how does this approach work in practice? Commercial Lines Manager and Risk Consultant, Mercy Komar, provides some insight for our community.

In the business world, cyber risk coverage is one of many types of insurance you will invariably need to protect your business.  Property insurance to protect your physical assets? Easy. General Liability to protect your bottom line in a lawsuit?  A no-brainer. But cyber insurance to protect your data, your bank account, and your reputation?  You will need to work a little harder to get this one.

Where to Begin with Proactive Cyber Insurance

Let’s start with the basics, the first points for a cyber-insurance broker to get in order with their insureds.

  • What are your assets and where are they?
  • Is it client information or a patented chemical compound?
  • Is it locked in a safe, a file drawer, or deep in the bowels of an excel spreadsheet?
  • What will you do if it gets stolen? What if they want money in return for the data’s safe return? Worse yet, what if you can’t pay the ransom?  Do you have the backups and financial where-with all-to lose hundreds or maybe millions of dollars?

 

The broker should then aim to get a stronger sense of the insured’s primary reasons for seeking cyber coverage. It could be that the insured needs to buy a policy for one of the reasons above. It could also be for regulatory compliance purposes or for contractual or governmental reasons.

In any case, it is up to the agent to make it clear to insureds that, if they are to qualify for a policy with most carriers, and if they are to have a shot at reducing their premiums, they will need a team of experts to help you obtain and maintain your cyber security program. Insurance is only one piece of a much larger puzzle.

Proactive Cyber Insurance Minimum Benchmarks

There is a long list of security requirements that can be instituted to obtain cyber insurance including MFA, security awareness training of employees, and scanning emails for malicious attachments. Most insurance companies now require a maximum of 60 days to institute critical patches and update systems, back up critical data “off-line” and preferably encrypt it.

How many, if any, of these security controls your insured does, can, or is willing to institute will determine if they can obtain insurance and its costs. Hitting minimum benchmarks of cyber security hygiene is a good place to start, but preventative approaches to security will serve a much greater purpose.

Required:

  1. MFA…MFA…MFA…

I think that should be the acronym of the decade.  If you don’t know yet what it means, it stands for Multi-Factor Authentication.  Its basic premise is a password and a second authentication in one of many ways, to access a computer.   It has become a thorn in the side of many companies looking to purchase cyber insurance.  But it is a proven fact that 90% of all breaches could be prevented with this approach to basic security.

Using multi-factor authentication for cloud-based services and for all remote access to your insured’s network is first and foremost.  Simple passwords no longer provide enough security.  MFA doesn’t eliminate the need for those passwords but, rather, it adds extra security with additional verification such as a fingerprint or a code by phone.

  1. Patch to your heart’s content

Software platforms receive updates known as patches.  Some are new features, and some fix vulnerabilities.  This is a routine security task and should be performed no less than every sixty days. Many insurance companies are requiring as little as 30 to 45 days.  Also, make sure that your insured is no longer operating any legacy software (such as Windows Vista) that is no longer supported and is not patchable.

  1. Back it up

Your insured should regularly back up critical data outside of the live environment, making sure it is recoverable…  It is preferable it is encrypted.  By doing this the insured can still function after a cyberattack, accidental deletion, or physical damage, such as a fire.

Suggested:

Preventative defense starts at the frontline

An organization’s staff is its frontline: they are constantly receiving outside communications from third parties that could put their business at risk.  Cyber security training can enable staff to identify cyber risks early enough to prevent them from impacting an organization in the first place.

There are third-party vendors who offer free cyber security training for staff and a range of vendors that offer cyber security training services at discounted prices.  Many insurance companies offer discounted rates to policyholders to their preferred vendors. The training, including anti-phishing, to all individuals who have access to your insured networks will help reduce insurance premiums in the long run.  This is sure to become a requirement, not a suggestion, in the near future.

You should also advise your insured that implementing and monitoring the efficacy of this training requires a team of qualified experts beginning with important individuals within their organization such as its IT Manager, HR manager, and company officers.

Lean on the pros

You can encourage your insureds to consider third-party service providers including:

  • An MSSP (Managed Security Service Provider). This is a partnership that will evolve over time. Your insured can depend on them, but it doesn’t relieve you of all responsibility.
  • A business law firm with a cyber-practice. Should there be a breach, your client will need to know that there is someone in their corner that knows the laws of every territory regarding notification, and many are pre-vetted by insurance companies specifically for this purpose.
  • A cyber-trained insurance agent. With 500 companies worldwide offering some sort of cyber risk insurance, a true cyber insurance professional will be able to differentiate coverages from different companies, understand their insured’s business and the most pressing risks it faces, and will be consistently devoting their time to ensuring that their knowledge in this part of the insurance universe is up-to-date. Agents who have taken advanced courses through the Cyber Insurance Academy, for example, and have specialized designations after their names, are held in high regard by the insurance companies, and this helps in the placement of their client’s coverages.

 

While the upfront cost of cyber insurance may seem steep, the potential financial and reputational consequences of a cyber attack far outweigh the cost of coverage. Investing in proactive cyber insurance is an investment in the long-term security and stability of and insured’s business and is likely to explode in popularity in the next few years as insurers look to protect their capital and insureds look to reduce their premiums. By proactively identifying and addressing potential vulnerabilities, businesses can significantly reduce the likelihood of a successful attack and the resulting financial and reputational damage.

Do you want to join our community of cyber insurance professionals? Sign up for our newsletter here for events and other learning opportunities at the Cyber Insurance Academy. Click here.