By now, in 2022, most organizations understand their general liability insurance policy will not provide coverage for a cybercrime event. At Mentis Group we encourage all of our clients to carry a cyber insurance policy, with at least $1M in coverage for each occurrence. Frankly, a $1M limit can be on the low side for some organizations when you consider a simple email breach of a CFO or the right person in accounting could result in $1M or more in rerouted ACH payments by your clients against fake invoices.
So how do you know what to ask an insurance company to purchase the right cyber insurance policy? More importantly, what should you ask that no one is telling you? You need an expert to guide you through the ins-and-outs of cyber insurance before making a substantial investment in your cybersecurity infrastructure.
Our team at Mentis Group recently interviewed Jason Rebholz of Corvis Insurance to supply you with the most critical information you need to know about cyber insurance.
Jason Rebholz is the Chief Information Security Officer for Corvus Insurance and provides a wealth of knowledge. With a decade working in the Incident Response space and partnering with Managed Services Providers (MSPs), Jason has seen a plethora of cyberattacks and knows what’s needed to protect your company. One of Jason’s primary duties as the Chief Information Security Officer for Corvus Insurance is to provide consultations with policyholders on best practices in cybersecurity.
Here are some free tips to help you make the best-calculated decision upon purchasing cyber insurance from an insurance carrier.
What is cyber insurance?
According to CISCO, “Cyber insurance is an insurance product designed to help businesses hedge against the potentially devastating effects of cybercrimes such as malware, ransomware, distributed denial-of-service (DDoS) attacks, or any other method used to compromise a network and sensitive data. Also referred to as cyber risk insurance or cybersecurity insurance, these products are personalized to help a company mitigate specific risks.”
What should people know about BEFORE considering purchasing a cyber insurance policy?
You must go into this process understanding that your cyber insurance carrier is your partner who will mitigate risk. So, there’s a personal stake between the both of you so that you don’t experience a cyber-attack. Additionally, in the case of an unforeseen breach or a cyberattack, you’ll have the peace of mind in knowing the following:
- First, you’ll have significantly more resources available, and if a cyber incident occurs, you’ll have the guardrails that will be there in case.
- Second, you have a team of experts available to help you navigate through the uncertainty of a cyber strike. If you’ve never encountered one before, knowing you have the support from a team who’s been there can make all the difference.
- Third and possibly most important, in addition to helping you recover your environment a good cyber policy will help to make your organization whole again, including from financial loss, and legal assistance for any potential litigation against you as a result of the breach. When considering this, is $1M per occurrence really enough coverage for your organization?
What are the questions you should be asking your cyber insurance company?
To help you decide whether a cyber insurance policy is right for your company, Jason has put together a list of questions you should be asking your insurance broker as part of your due diligence process:
- What is covered in this insurance policy?
- What isn’t covered in this insurance policy?
- What type of coverage is needed, and how much do I need?
- What preventative controls do I need to have in place to secure cyber insurance?
- Do I need to have specific third-party vendor technology to qualify for insurance?
What type of preventative measures should your business have in place BEFORE calling a cyber insurance company?
There’s an assortment of preventive measures you’ll want to establish in your business before even Googling “cyber insurance.” Of course, you should already have these protective measures in place as a business owner regardless of your cyber insurance requirements. However, if you’re seriously searching for a cyber insurance policy, you’ll need to have these bare minimum requirements in place before most insurance carriers will consider you for coverage:
- Multi-factor authentication (MFA) for email, remote access, and administrative access to servers and workstations
- Next-Generation Endpoint Security (EDR, XDR, or MDR endpoint security) on workstations and servers
- Security Awareness Training for your users
- Robust backup solution
What are some helpful tips to help you get reimbursed in the case of an unforeseen data breach?
The first tip is to always verify with the insurance company whether you need approval for third-party vendors performing the response process. Specifically, are you required to use certain third-party vendors to get reimbursed in case of a breach? For example, certain insurance carriers will need the IT services company or MSP conducting the data breach investigation to be on their list of preferred vendors. In this case, the firm handling the data recovery will need to be pre-approved by the insurance carrier. If the IT services company isn’t pre-approved, you may be forced to pay for the investigation out of pocket, AND you won’t get reimbursed from the insurance carrier. So, be very attentive to this.
Another tip is to be aware that you’re not going to receive an equipment upgrade in a cyber breach reimbursement. Most cyberattacks do not result in damaged hardware, so while the damage and recovery of your operating systems and data may be extensive the insurance carrier will likely not approve replacement hardware if the hardware is still viable post-recovery. Instead, your cyber insurance company’s priority is getting your system back up and running in a reasonable and necessary way. So, unfortunately, your dream of upgrading your entire server stack because of a ransomware attack isn’t a reality.
The bottom line is this; whether you’re looking to purchase cybersecurity insurance or protect your business, you need a comprehensive cybersecurity plan. You’ll not only ensure the safety of your business but provide peace of mind knowing you’re safeguarded in unforeseen circumstances. In addition, hiring the right MSP can make all the difference in aligning your business goals for the future with your cyber defense of the present. If you need a trusted cyber insurance recommendation for your business, we can help with that too. So, if you’re ready to begin, click here to get started.