John Moccia with Innovation Guard wrote good primer on what happens when a firm needs to buy cyber insurnace in a thread at Internet Evolution. The author writes that loss control/security precautions are built in to the process of acquiring cyber insurance. There are firms like NetDiligence that partner with insurers. Apparently when you buy a cyber insurance policy, the coverage is contingent upon a successful security audit performed by NetDiligence (penetration testing, ethical hack, etc).
The article goes on to state that when a company outsources their technologies, such as with a co-hosting facility where their actual servers reside, the insurer will seek information on the Colo firm’s security protocols, protection and redundancy. In the end those companies with better procedures/protections in place will get better rates…..those with worse or no security will get higher rates – or not be afforded coverage at all.
There are first and third-party implications to Cyber insurance according to Mr. Moccia. First party = your losses….such as the cost to notify the thousands or tens of thousands of people who’s info has been compromised. Third Party = losses of others where they would seek restitution from you. A class action claim for failure to secure confidential data – defense costs, settlements, etc. This whole area is still evolving. Some insurers offer just third-party, others offer both. They have different approaches to the way they offer the coverages, too. For example while one insurer may offer you up to $250K for breach notification costs, another provides coverage for up to 2 million affected people with no specific dollar amount.
Coverage can incorporated on some insurer’s policies to address the acts of “rogue” employees/insiders.
The author points out that the insurance industry is a very old industry. It is also one that is slow to adapt it’s ways of doing business. Insurers package their policies the way they want to sell them, as opposed to the way people/businesses want to buy them. For example, the types of claims that we are discussing here are relevant and likely for any kind of company today. General Liability claims are very uncommon and unlikely (at least for vanilla office based companies, like Tech businesses and professional service co’s)….and traditional business interruption coverage doesn’t address these cyber issues. Yet, these coverages are part of the standard policy that all businesses carry. In order to get the total protection that a business needs, it has to buy several policies, usually from multiple insurers. The first progressive insurer that is willing to incorporate coverage for these modern exposures (even if they just dip their toe in the water….offer $10K or some other nominal amount!), as part of what is their standard commercial policy, will have a huge advantage on the rest of the market.
I sure that many SMB organizations have holes in the coverages when it comes to their cyber-insurance and I really doubt that they can pass the security audit. Many of the organizations I deal with have very low security postures, conversations about password polices, document retention and user account life-cycle are a big deal, even when my counter-part has come from industry to industry to education.
- Business insurance news: Firms unprepared to cope with cyber attacks (premierlinedirect.co.uk)
- Downside of Online: Cyber Crime & Stolen Data (trustedchoiceexaminer.wordpress.com)