Filling Out the World’s Longest Four-Page Forms: A Cyber Insurance Guide for the Rest of Us
By Brittany Fugate, CEO of Cenetric Network Services, Inc.
We live and operate in a world where cybercrime happens with frightening regularity. It is currently estimated that 2,328 cyber-crimes are committed every day, a number that only goes up each year. With an average cost of $71,000 – $106,000 per attack for a Business Email Compromise or $700,000 – $900,000 for a ransomware attack, life can get very expensive for an unprepared business owner. And the simple truth is that no matter how tightly your environment is secured, cyber criminals should always be considered a credible threat.
That’s where cyber insurance comes in.
What began life as an offshoot of normal business insurance has become an industry all its own, and it can be critical to ensuring that your business survives if you are ever unfortunate to find yourself, one of your vendors, or even one of your customers, a target. A good cyber insurance company can help not only cover the cost of any losses; they can also help you navigate the aftermath of an attack, ensure you are protected against any further attacks, and help cover any operating losses caused by downtime after the attack. Even if you never file a claim, the simple act of filling out the annual assessment can get you thinking about how best to secure your business. Not all cyber-insurance plans or providers are created equal, however.
Picking a Provider and Policy
Most insurance companies that provide business insurance will also offer a cyber policy, but these coverages can vary wildly. It’s vitally important to read through the policy to see what is covered and what is not. Some of the most common types of coverages are:
- Payment Fraud – This type of coverage helps recoup losses if you make a payment to a cyber-criminal based on a fraud campaign (for example, they pretend to be a regular vendor of yours with a new bank account).
- Customer And Employee Data Loss – This type of coverage helps protect you from potential damages if protected information gets stolen.
- Third-Party Lawsuits – As the name implies, this type of coverage is meant to shield you from any lawsuits that arise from vendors/customers/etc. who are harmed by the attack.
- Business Interruption and Extortion – The big one, this protects you if your business is shut down by ransomware and helps ensure you can re-open your doors when the dust settles.
Make sure the offerings fit your business’s needs and are appropriate to the needs for a small to medium business, as some providers really only focus on enterprise-level customers.
Services
In addition to providing monetary protection, a good cyber insurance provider will also provide technical expertise to help make sure there’s nothing lingering in the network after an attack and help protect you against more fun times down the road. If you have a managed IT services provider (MSP), it can be a good idea to ask them if they have any recommendations, as many insurance providers have close partnerships with area MSPs.
Applying
Once you have selected a provider and a plan, it’s time to apply for coverage. Just like a health insurance provider rewards you for good health practices and an auto insurance provider rewards good driving patterns, a cyber insurance provider will base their rates on your current security policies. Here are a few things almost all of them will ask about:
- Multifactor Authentication – the single biggest thing you can do to secure your IT environment is to enable Multifactor Authentication on everything, and it is the number one thing insurance companies want to see in place before they grant coverage.
- Regular Backups – Critical data should all be automatically backed up regularly. The best backups follow the 3-2-1 rule: at least 3 copies of any data in at least 2 locations, at least one of which is offline or immutable. With a solid backup strategy, a ransomware attack that might otherwise completely cripple your business can turn into an annoying afternoon, and insurance companies want to make sure you are regularly making and testing your backups.
- Access Management – If an attacker gets access to an admin account, that’s the ballgame. Most insurance companies will ask you to demonstrate that admin accounts are properly secured through Multifactor Authentication, captured in audit logs, and only in the hands of people who absolutely need them.
Feeling Overwhelmed?
There is a lot of info to digest when looking for a cyber insurance policy, and a whole lot of technical jargon to wade through when applying. Hopefully this article helps to arm you with a bit of what you’ll need to know, but if you need a hand with the whole process, out team is happy to provide that guidance.
Whether you’re in Kansas City or beyond, we have the experience to get — and keep — you covered when it comes to cybersecurity. Let’s talk about your needs today.