Cyber insurance policies have existed since the early 2000s. Businesses going online wanted safeguards against risks associated with evolving cybersecurity threats. Having a cyber insurance policy is just a starting point, though, and your business also needs to understand the insurer’s expectations of you. Otherwise, you might find your claim gets denied.
As with most professional liability policies, your cyber insurance may have exclusions, including:
- rogue employees;
- wild viruses;
- regulatory claims;
- fines and penalties;
- property damage.
Cyber insurers also may not pay out if they find “a failure to maintain.” This might also be “failure to follow” certain standards of care. It’s the online version of negligence. But what does it really mean?
Standard of care expectations
Insurance companies want proof that your business takes proper precautions to prevent cyberattacks. If you can’t show you’ve implemented strong security measures, you run the risk of a denied claim.
Your insurance doesn’t want to pay out. So, they’re going to require you to put protection in place. This can be internal or via a third-service provider (such as a managed service provider (MSP)).
Your security approach must be comprehensive. It’s best to map out all your technology so that you can identify every endpoint that needs protection. Relying on antivirus software, for instance, is unlikely to satisfy your insurance provider. Add active threat detection and response tools to your arsenal, too.
You’ll also need to show that you’re securing your supply chain. A breach exposing 40 million debit and credit cards started at a retailer's HVAC vendor. Target estimated the breach cost $202 million. This was in 2013, but attack type remains a real threat due to digital interconnectedness.
Insurers also want to see evidence of effective training for your employees, because humans are the weak link. Your staff may not mean to do wrong, but they are the ones with weak passwords, or misplaced devices, and who may be downloading malware.
Expect insurers to also want you to have:
- encryption to secure data;
- multi-factor authentication to make unauthorized access more difficult;
- virtual private networks (VPNs) to secure connections between computers and the internet;
- regular data backup;
- company policies and processes to respond to cybersecurity incidents.
- Cyber insurance evolves, too
As the cyber environment is always evolving, insurers are regularly adapting. They may have quoted coverage for a particular risk but then changed their policies to decline that risk a year later. It’s one more thing to keep abreast of while also working to secure systems against cybercrime.
Have questions about your cyber insurance policy? An MSP can review your security policy and ensure you’re doing everything to maintain coverage. Our experts can also run regular audits and provide proof of your efforts. Contact us today at: