What do you think this is?

Just thoughts of a restless mind...

To cyber-insure or not?

Professional liability insurance has been around for long. It is not a surprise that Cyber Insurance is becoming a trend lately, considering the constantly raising number of security breaches. The post in one sentence: Cyber insurance is a good thing but be careful what you wish for.

Basics: Is it related to security?

The first question people usually ask me is if Cyber Insurance is something that falls under Security's responsibilities. In general insurance is under legal or compliance departments. Nevertheless there is no clear answer here. If you consider Security to be IT Security meaning servers, firewalls and the typical antivirus, then you don't need to actively pursuit Cyber insurance; it's somebody else's job. If on the other hand you consider security to be a Risk management based, holistic business function as I do, then Cyber Insurance is on your table.

How does Cyber Insurance help?

A security incident may impact an organization in several ways. Some of them are financial. As an example regulatory penalties and fines as well as damages incurred by the customers that need to be reimbursed. In addition downtime and recovery costs; these are all things that Cyber Insurance can cover. As a result Cyber Insurance is yet another arrow in your quiver. It is another option under the "transfer" or even "mitigate" responses for security risks; but don't forget to review the residual risks.

When does Cyber Insurance NOT help?

Other ways an organization may be impacted by a security incident may not be covered by Cyber Insurance. Reputation damage, actual and permanent loss / destruction of data are some of the examples that a Cyber Insurance may chip in for, but will never fully cover or mitigate the damage. This is also something that a cyber security practitioner / risk professional needs to take into account and that is why proper evaluation of the residual risk is important.

Don't insurances have fine prints though?

You are familiar with car and household insurances I guess, and you should know by now that if your car crashes while you are driving it drunk, or while you gave it to your underage child to drive, insurance accepts no responsibility to pay you anything. If your house is broken into but there are no break-in signs (e.g someone copied your key) then again, most probably insurance won't cover you.

Cyber insurance is not very different. Just some months ago news were that the National Bank of Blacksburg in Virginia was offered by its insurance firm just $50k for losses of $2.4 million . You can also find yourself in the same situation.

Most Cyber Insurances come with a questionnaire. Typical questions such as "is antivirus installed on all your computers" are tricky. You may answer yes but if you get compromised, the most probable patient zero (or entry point) is a forgotten, unprotected computer. If you think your insurance will cover you then, you should think twice.

And let's not forget that some cyber insurance companies now turn against the cyber security services firms. That is interesting because, as whoever has worked with contracts knows, many of those pieces of papers limit the liability of the vendor to a ridiculously low amount. I wonder how this will end up for the breached organization that now is in the middle.

Get your techies on board

I said before that if you're an IT Security guy or gal you don't need to take any actions. But make sure that if a questionnaire from a cyber insurance vendor reaches you, you answer it honestly and be absolutely transparent to your business about the gaps your security controls have. The honest disclosure of these gaps may be the only thing that can guarantee that the cyber insurance provider won't blame you for the breach and that you will be fairly compensated.

As I have stated in the past, you need to be diligent in your cyber security efforts and if you don't have the proper governance and processes in place, or if you turn a blind eye to past security incidents, these may end up to be very expensive decisions and / or omissions.

Do share your thoughts and experience on cyber insurance!