Cyber Insurance is the Last, not First Step in Risk Mitigation

In the world of risk…specifically risk mitigation, cyber insurance is the last chapter in your cybersecurity playbook.  Let me explain:  The goal of any security plan is to mitigate (stop or reduce) threats as much as possible.  In a network, that means layered tools (firewall, anti-virus, backups), etc., along with policies, user education and other techniques.  After implementing these active threat stopping and deterring steps, and therefore reducing your threat landscape to the lowest possible point (for your particular business needs), then employ a cybersecurity policy to transfer the remaining risk to an insurance company. 

The details:  Cyber insurance can be a benefit when disaster strikes, but a common misconception is that it can help mitigate risk. Cyber insurance alone is not an acceptable form of risk transference. While it is one of the needed layers in ensuring you are mitigating risk, protecting your networks, and protecting your client data, many steps should come before purchasing cyber insurance. These steps also help ensure that when there is an incident, you are in compliance with the cyber insurance requirements needed to qualify for coverage. Let us take a moment to understand why.

Organizations that do not fully understand the cyber threats their company faces end up purchasing insurance coverage that does not cover their organization’s specific risk. Current coverage types can include the following first party coverages*:

  • Theft and fraud
  • Forensic investigation
  • Business interruption
  • Extortion
  • Computer data loss and restoration

These are in addition to third-party coverages* that can include:

  • Litigation and regulatory costs
  • Regulatory response
  • Notification costs
  • Crisis management
  • Credit monitoring
  • Media liability

Each of the above coverage sections are specific and can be complicated. If you have not defined your cybersecurity needs, understand the risk, and have a plan to mitigate the risk, you may pay for coverage that does not mitigate your organization's risk. Additionally, cyber insurance policies have requirements that certain controls and client procedures must be in place prior to coverage. Cyber insurance policies typically have statements that exclude losses or claims that are attributed to dishonest practices or criminal acts, contract breach, theft of trade secrets, unfair trade practices, and employment practices.

These could include:

  • Malicious attacks conducted by insiders, such as employees or IT staff
  • Failure to meet institution compliance requirements similar as those imposed by the Gramm-Leach-Bliley Act (GLBA)
  • Failure of your business partners to protect data entrusted to them

Organizations that fail to implement and enforce cybersecurity measures could void any cyber insurance coverage and leave the organization open to accusations of gross negligence. Cyber insurance underwriters typically ask for copies of current risk assessments or proof of cybersecurity policies and practices. Typical questions from insurance providers cover areas such as:

  • Has your organization implemented cybersecurity policies and procedures?
  • Has your organization implemented risk assessment activities that cover:
    • Current cybersecurity threats to the organization
    • Cybersecurity incidents as they arise
    • Cybersecurity incidents as new systems are implemented or changes to business processes made
  • Does your organization have an assigned individual who oversees, and is accountable for, cybersecurity?
  • Does your organization have threat monitoring and log correlation systems or activities?
  • Does your organization have a cybersecurity awareness training program for your staff?

These are just a few of the example questions that most cyber policies ask. An organization that implies any of these requirements are met, when in fact they are not, can lead to voided coverage from the start of the cyber insurance policy term.

In short, cyber coverage provides you with a component to fill gaps in your current cybersecurity practices and to mitigate the impact of accepted risks. Cyber insurance does not provide valid coverage for organizations that forgo the implementation of current industry best practices.

To better understand your risks and determine if cyber insurance coverage is a good fit for your organization, work with your company’s designated cybersecurity consultant. If you do not currently have a consultant, the experts at EDTS Cyber are ready to help.

*McGuire Woods “A Buyer’s Guide to Cyber Insurance.”

Register for this June 28 webinar on MSSP vs In-House vs MSP !

Delano Collins, CISSP, CISM, CASP, C|EH

About the Author: Delano Collins, CISSP, CISM, CASP, C|EH

A native of Augusta, Georgia, Delano Collins is the Chief Information Officer of EDTS, LLC, a managed IT services, advanced infrastructure, and business continuity solutions and EDTS Cyber, a solutions provider specializing in 24/7 cybersecurity monitoring, audits, assessments, incident response and forensic investigation. Under his leadership, EDTS Cyber was most recently awarded the “Award of Excellence” by SC Cyber., ,With a background in the banking industry, and more than 25 years of experience in technology, Delano has spent his career specializing in cybersecurity, compliance and network design. Since joining EDTS more than 12 years ago, he has demonstrated a passion for security, innovation and strategic thinking that has helped EDTS remain among America’s preeminent technology solutions provider since 1999., ,His certifications include being a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Ethical Hacker, EC-Council (CEH) and CompTIA Advanced Security Practitioner. Passionate about the need for cybersecurity awareness and education within the business community, Delano has published articles in CIOReview and Business Solutions, and serves on two Technology Advisory Boards for area schools.

Read more posts from Delano Collins, CISSP, CISM, CASP, C|EH ›


Get price Free trial