Bach Seat

John Moccia with Innovation Guard wrote a good primer on what happens when a firm needs to buy cyber insurance in a thread at Internet Evolution. The author writes that loss control/security precautions are built into the process of acquiring cyber insurance. There are firms like NetDiligence that partner with insurers. Apparently, when you buy a cyber insurance policy, the coverage is contingent upon a successful security audit performed by NetDiligence (penetration testing, ethical hack, etc).

The article goes on to state that when a company outsources their technologies, such as with a co-hosting facility where their actual servers reside, the insurer will seek information on the Colo firm’s security protocols, protection, and redundancy. In the end, those companies with better procedures/protections in place will get better rates…..those with worse or no security will get higher rates – or not be afforded coverage at all.

There are first and third-party implications to Cyber insurance according to Mr. Moccia.

The first party = your losses…such as the cost to notify the thousands or tens of thousands of people whose info has been compromised.

Third-Party = losses of others where they would seek restitution from you. A class action claim for failure to secure confidential data – defense costs, settlements, etc.

This whole area is still evolving. Some insurers offer just third-party, others offer both. They have different approaches to the way they offer the coverage’s, too. For example, while one insurer may offer you up to $250K for breach notification costs, another provides coverage for up to 2 million affected people with no specific dollar amount.

Coverage can be incorporated on some insurer’s policies to address the acts of “rogue” employees/insiders.

The author points out that the insurance industry is a very old industry. It is also one that is slow to change its ways of doing business. Insurers package their policies the way they want to sell them, as opposed to the way people/businesses want to buy them. For example, the types of claims that we are discussing here are relevant and likely for any kind of company today. General Liability claims are very uncommon and unlikely (at least for vanilla office-based companies, like Tech businesses and professional service companies)…and traditional business interruption coverage doesn’t address these cyber issues. Yet, these coverage’s are part of the standard policy that all businesses carry. In order to get the total protection that a business needs, it has to buy several policies, usually from multiple insurers. The first progressive insurer that is willing to incorporate coverage for these modern exposures (even if they just dip their toe in the water… offer $10K or some other nominal amount!), as part of what is their standard commercial policy, will have a huge advantage on the rest of the market.

rb-

I am sure that many SMB organizations have holes in their coverage when it comes to their cyber insurance. I really doubt that they can pass the security audit. Many of the organizations I deal with have very low-security postures. Conversations about password policies, document retention, and user account life-cycle are a big deal, even when my counterpart has come from industry to industry to education.

Related articles

• Downside of Online: Cyber Crime & Stolen Data (trustedchoiceexaminer.wordpress.com)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.