By Carl Mazzanti
The volume of cyberattacks against all kinds of companies is rising, with some reports estimating that hackers can penetrate 93 percent of both small- and medium-sized businesses. Those odds are spurring more companies to look into cyber insurance, which could blunt the blow of successful ransomware and other attacks.
It is an important issue that goes well beyond ransomware threats. In one case, a business’ employee accidentally transmitted a virus to customers and suppliers — and the company was sued for more than $3 million for its failure to contain the virus.
In another example, an email that appeared to be from a long-standing vendor directed a company to modify the banking information for their account. The company did so and paid more than $200,000 to the “customer” before discovering that the funds had been misdirected to a fraudster.
Traditionally, these mishaps have been covered by insurance — but companies may now encounter more obstacles when they try to get a policy. A series of announcements, like one made last year by insurance giant AXA — noting it would no longer provide support for ransom payments made to hackers — indicate that insurers are getting anxious about providing such coverage.
Some insurers are still doing so but have said they will be more careful about issuing new policies or even renewing existing ones. Businesses, however, can take some steps to increase their odds of qualifying for this critical coverage.
Understand the Policy
Even before AXA announced the pullback, several cyber insurance companies had stiffened the requirements from the companies they insured. Some insurers call for policyholders to complete certain basic security steps, and then charge a coinsurance or limit payment to a percentage of the loss incurred. Therefore, a company should take the time to carefully review its new or existing policies, find out what its responsibilities are, and gain an understanding of what the policy actually covers. Some may reimburse legal costs, forensic analysis, data restoration expenses, and communications costs related to a breach, while others may exclude some or all of the charges.
Additionally, at a minimum, insurers often want clients to document the presence of a layered defense, like multi-factor authentication (MFA), that typically requires at least two verification methods to establish identity: usually a password and a verification text that is sent to a cellphone.
However, a business’ defensive steps should not end there since insurers will often evaluate their customers’ entire operations. Some companies may see this as an inconvenience but conducting an internal review proactively — before applying for a renewal or a new policy — is a good way for a company to understand its potential risks.
Self-evaluation questions that business owners should be asking include the following:
- Does a company acquire and process personally identifiable information like Social Security numbers or medical records?
- If yes, are appropriate security measures in place, and is the business compliant with regulatory requirements?
- Does the business utilize an extensive remote workforce? If it does, are employees using secured computers that have the latest anti-virus and other defenses installed?
- Do desktops and laptops include MFA, and is the data stored on them encrypted?
- Are they — and any software installed on the units — configured to automatically install manufacturer patches or other updates?
An organization should have rules in place — and communicated to employees — about how the devices are used. For example, a work-issued device should not be used to log on to MMO (massively multiplayer online) games, which are often hotbeds of viruses and other threats. And such restrictions should also be monitored and enforced.
Access is another important but often-overlooked security issue. Sensitive data should be segregated and should only be accessible on a need-to-know basis. Sales personnel, for example, should not have access to bank accounts, R&D, or accounting files.
Planning for the worst
Insurers will usually want to know if a business has plans in place in case of a breach. Best practices include backing up files consistently and then isolating the backups so they will not be corrupted or infected in the event of a cyber breach. Written guidelines should also be available for these and other procedures.
Formal training is another issue. Similarly to DEI and other programs, businesses should have formal Cyber Security training and testing sessions two to three times a year. This kind of customized training may be available from a reputable Cyber Security managed services provider, who should follow up with email and other testing methods to identify whether employees are clicking on unsafe links or engaging in other risky cyber behavior.
And before an insurer issues a cyber protection policy, it will likely look into a company’s activities across its operations. As part of its own internal review to prepare for this, management should get input from multiple departments, including accounting, IT, shop floor managers, and others. The operations should be reviewed early on, well before applying for a policy or a renewal, since this will put a company in a better position when negotiating the terms and pricing of insurance.
No one expects to suffer a hack or other penetration, but too many businesses have discovered that it is not a matter of if they will suffer a breach but when. Organizations that have planned carefully — with coordinated defenses in place and well-designed insurance coverage — will be in a better position to mitigate any damages.
Carl Mazzanti is the President of eMazzanti Technologies – a firm specializing in Cyber Security