Cybersecurity Insurance

Recent events of cybersecurity breaches and losses have led to the development of cybersecurity insurance - an insurance product designed to protect against losses related to computer or network incidents. For a small to middle-sized business (“SMB”) with less than 100 employees, does a cybersecurity insurance policy make sense?

The common claims on cybersecurity insurance policies originate from email compromise, fund transfer attacks, and ransomware attacks. A great majority of the claims emanate from acts of the insured.

Exclusions from cybersecurity insurance coverage often include existing coverage from other policies of the business, acts of war or terrorism, and intentional acts against public policy. While there is the possibility that certain cybersecurity events could be linked to terrorism or acts of war, there will also be an appropriate concern about whether other business insurance coverage might also include losses from a cybersecurity incident. Because the cybersecurity insurance product is a new offering that was not available when older policy language was written the scope of existing insurance coverage should be reviewed with the broker offering the cybersecurity coverage.

As with any insurance policy, there are conditions and definitions which can cause coverage to fail, such as failure to report the incident within a time limitation, representations and warranties of the insured not being accurate, retentions and wait periods not honored, and inappropriate processing of the claim.

Many of the insurance products offered require initial screenings of existing cybersecurity protection and offer incident response assistance (including negotiations with ransomware entities) as well as the payment of claims. As a part of offering coverage, some companies require a review of existing cybersecurity procedures in place. This can be very helpful to the SMB not sure about which protections to put into place. Some companies offer cybersecurity services after an attack. These services include training, phishing simulations, domain protection, network monitoring, patch management, password management, legal consulting, and security consulting. These services need to be considered when contracting for cybersecurity protection.

An SMB is usually looking for the best value solution to cybersecurity protection. The balance between risk and resources is critical. The more probable the prospect of a loss the better the case for expending resources on cybersecurity insurance premiums.

The place to start is with the fact that most of the losses businesses experience from cybersecurity originate with acts of employees of the business. The more aware employees are of cybersecurity issues and the more employees follow the discipline of cybersecurity policies, the lower the risk of a loss to a cybersecurity incident. Putting first things first, training employees will provide the primary protection against cybersecurity threats.

It does not take much of a crystal ball to see that in the future internet and network business communication will be based on threshold requirements of cybersecurity protection on communicating networks. Fulfilling this requirement needs to be a part of business planning, including that of SMBs. Enterprise-level businesses can ramp up cybersecurity protection using in-house IT professionals and large independent contractors with sweeping and expensive solutions. SMBs are more likely to be looking at a variety of protections, and, almost always, from independent contractors.

For an SMB trying to make strategic decisions in the wild world of cybersecurity, the risk strategy wisely could begin with including a net against catastrophic cybersecurity events with cybersecurity insurance while protections are being put in place and certifications earned.

If you are not in crisis and want to take the time to evaluate the resources and risks involved in various cybersecurity solutions, immediately start an employee education and discipline program. Then begin asking the questions, such as: Should you enter into an independent contract with one cybersecurity contractor who promises an overall solution? Are there compatible independent contractors whose products mesh? Should you develop one or more in-house experts who can oversee the independent contractors involved? At the same time you are asking these and other questions, initiate a dialogue with cybersecurity insurers to provide valuable insight into your present situation and determine if you need protection against a cybersecurity catastrophe. Through strategic planning, examine a risk solution other than that of throwing a great deal of resources into solving a problem before a proper analysis can be completed.

Planning for Cybersecurity Issues

Businesses with less than 1,000 employees (sometimes referred to as small or medium businesses or “SMBs”) are becoming concerned about cybersecurity. Not only is there an increasing amount of cybersecurity threats, but government regulations require SMBs in certain areas such as healthcare, finance, and defense to meet certain cybersecurity standards and practices.

According to Gartner’s Information Technology Glossary, cybersecurity (spelled as one word) refers to the systems, technologies, processes, governing policies, and human activity that an organization uses to safeguard its digital assets. The definition goes on to state that “cybersecurity is optimized to levels that business leaders define, balancing the resources required with usability/manageability and the amount of risk offset.” Many SMBs are doing this balancing.

According to Tim Matthews, writing for the website Cybersecurity Insiders, the first computer virus was created in 1971. It was called the Creeper Virus, and only displayed messages. The security protocol that allows people to purchase items online securely was made possible by the Secure Sockets Layer (SSL) internet protocol. Netscape began developing the SSL protocol not long after the National Center for Supercomputing Applications released the first web browser. In February 1995, Netscape released SSL 2.0, which became the core of the language for securely using the web, called HyperText Transfer Protocol Secure (the HTTPS in a website address).

Less than 30 years later, most business organizations have digitized their most pertinent data. They now use software systems, the cloud, and other platforms to enable their operations. Companies are leveraging these digital assets to shift and improve the way they do business and deliver services. As businesses increasingly rely on digital data and technology systems, they will also need to deploy cybersecurity strategies, including encryption, risk management, and the prevention of unauthorized access.

Be Careful Whom You Like

Think about what people do that ticks you off. People who whine. People who are critical. People who always have a problem. People who do not get with the program. Doesn’t it irk you when there is some smart ass who asks, “Why are we doing this?” To react negatively and dislike these people is natural, but for a business owner it is also dangerous.

It is human nature to like those who agree with us; it is also human nature to dislike those who do not agree with us. Call it arrogance or pride, we all know the emotional reaction.

Those business owners who can get past this emotional reaction and evaluate the differing opinions they encounter, often find their perception of reality altered and the decisions they make becoming better. This trait of humility is one of the most important leadership qualities.