Cyber insurance coverage can be tricky to navigate, especially if you are new to the market. A cyber insurance policy is meant to protect your business and customers from liability as a result of a cyber incident.
As part of a well-rounded information security program, cyber insurance certainly can be beneficial. It can help alleviate some of the cost involved with an incident, and it can help you with legal coverage in the event of a breach.
There are also a lot of ways to go wrong with cyber insurance coverage if you don’t know what to look for. In this post, we’ve compiled some do’s and don’ts to serve as a starting place for your cyber insurance considerations. Consider these things as you negotiate a cyber insurance coverage policy. Use this guide to choose your provider wisely and ensure your policyholder will fit your needs.
DO: Know What’s Included (and What Isn’t)
Not all providers or policies are equal. There are many different companies with different levels of coverage. That said, there are some commonalities among most policies.
Standard Cyber Insurance Coverage
Typically, the events covered within your cyber policy include:
- Customer Notifications
- Customer Protections (Credit Monitoring and other Personal Restoration Services)
- Extortion Coverage (Ransomware Negotiations)
- System Recovery Services
- Digital Forensics
This is a basic starting place for most policies. Usually, you can add other services or coverages, and other variables (such as deductible) also factor into your cost and coverage.
Please note that this is only a guide. While these are standard inclusions in most policies, it is imperative that you understand the specifics of the policy you select.
What’s Not Included
There are some things that will typically not be covered by your insurer. Be aware of these exclusions and plan around them.
Infrastructure Improvements
If you read the fine print, you’ll notice that most policies state they will only support the restoration of your infrastructure to the state it was before the attack.
This is an important point. Most insurance does not cover infrastructure improvements during recovery.
During incident response, you will likely identify deficiencies in your environment that led to the compromise, and it usually costs money to remediate those findings. This fine print means the remediation will not be covered by insurance.
It is imperative to understand how this could impact you.
We recently worked on a case for a client who had been the victim of a ransomware attack. The attackers demanded a payment of $750,000 to restore the client’s data. The client considered, rather than paying the attackers, that money could be better spent rebuilding and improving their infrastructure and security posture to prevent this from happening again.
The total cost for an infrastructure rebuild and improvement project was around $500,000, so they would save $250,000 and have a stronger system for it.
However, the client learned that rebuilding or improving their infrastructure was not covered by insurance. If they wanted to rebuild to the previous state, that would be covered – but any improvements would not be.
Proactive Services
Cyber insurance coverage unfortunately does not typically include proactive services. Proactive services can include tabletop exercises, IR plan coaching, proactive testing (vulnerability scanning and penetration testing), and more.
These services are critical in incident preparedness, and they are a key part of a strong security program. Essentially, none of the exercises you need to complete to lower your risk level and ensure you are prepared in the case of an incident are covered.
DO: Ensure Your Insurer Will Allow You to Work with Your Preferred Vendor
We recommend engaging a cyber security partner and developing a relationship before an incident. A good partner will work through those proactive services mentioned before to ensure you are prepared for an incident.
Additionally, your partner will already know your capabilities and infrastructure – meaning that in the event of an incident, you will be able to engage quickly and work efficiently. When battling a cyber adversary, every minute you save will be critically important.
Think of cyber insurance like auto insurance. If you have a car accident and need to have repairs, do you want to go to the autobody shop your insurance provides? Or would you rather go to the autobody shop you’ve used for years and trust to take good care of your car? Simple answer.
The same goes for a cyber incident. Do you want to use the insurance-provided vendor, or do you want to work with the cyber security company that you know and trust?
Some insurers will not allow you to choose who you work with. They have a small network of digital forensics and incident response firms that will be assigned to you on claim kick off.
Bringing a new vendor on board during a critical incident with no history of your business, infrastructure, and security posture is not an ideal approach. It makes sense to steer away from providers who don’t understand the value in allowing their clients to work with their preferred vendor.
Although most insurance companies have their preferred vendors, there are insurance providers who will give you the option to choose who you work with. They typically have an onboarding process, which will consist of interviews, questionnaires, and rate negotiations before an incident occurs.
When negotiating an insurance policy, ask if you can choose your preferred vendor. If the answer is no, find another insurance provider. There are plenty who support this model and understand the value it provides to their clients.
Why Would Insurance Providers Limit This?
It should be easy to understand that working with your established security vendor will save you critical time and money in the event of an actual incident. So, why wouldn’t your provider allow you to work with your own vendor?
Remember that a cyber insurance provider is a business, and that business needs to make money. Therefore, a primary interest of the carrier is to minimize incurred costs during a claim. One way to do this is by forcing you to work with their provided vendor; the insurance provider has likely pre-negotiated cheaper rates with the security vendor.
DO: Ensure Your Provider Will Allow You to Know Your Breach Coach Before an Incident
A breach coach will be the resource your insurance company provides who assists you through the incident response process. They will help you navigate this stressful situation, identify any resources you need, and assist you in engaging and executing as needed.
Typically, breach coaches don’t work directly for the insurance company, but for a law firm the insurance company partners with. Most insurers assign a breach coach to your account when you sign your policy. However, most people don’t realize this and only engage their breach coach in the time of an incident.
We recommend that you set up a meeting with your breach coach as soon as you get a policy. Get to know them, understand their role in the incident, and allow them to meet your preferred incident response provider.
Having this out of the way before an incident occurs will save you tons of valuable time in the event of an incident. It will also offer you peace of mind and confidence in a facet of your IR team before an incident ever occurs.
When negotiating your insurance policy, ask your provider if they assign a breach coach on policy execution and if you can work with the breach coach right away. If the answer is no, find another vendor.
DON’T: Pick Too High of a Deductible
Don’t choose the cheapest policy just to have coverage; you may find that the deductible is not financially feasible for your organization. During an incident is not the right time to find out that you can’t afford the deductible.
I worked on a case with a $500,000 ransom demand, and the client had a $500,000 deductible. Neither way to spend the half million dollars was financially digestible by the organization, and they were unable to pay the ransom or use their cyber insurance coverage.
Take the time to understand your business, sector, size, and so on to determine what is a manageable payment for your business in case of an incident. Then, select a deductible that fits within your budget.
DO: Know When to Engage Insurance
Often, our clients ask us when it’s appropriate to call their cyber insurance provider. There is no set-in-stone answer, but there are some guidelines for knowing when to call. Engaging insurance doesn’t always make sense.
Let’s revisit our auto insurance analogy. Is it worth reporting a $1,200 repair after a car accident when your deductible is $1,000? Likely, no.
Involving your insurance provider would give you $200 (16%) worth of coverage, but also the stress of going through the process. Worse, your rates will inevitably increase, costing you significantly more than $200 over time.
If you have an information security partner who can work through the response process with you, there may be no need to engage your insurance provider. This approach also gives you the opportunity to be more proactive and possibly prevent an incident from occurring – saving you time and money in the long run.
DON’T: Assume Insurance Is a Silver Bullet
Understand that insurance is just that – insurance. It is not an incident response plan. It does not improve your security posture or your incident response capabilities. It is meant to work in conjunction with other proactive measures, not replace them.
I’ve worked with many organizations who believed that because they have cyber insurance, they don’t have to worry about incident response preparedness. This is a mistake.
Unfortunately, as the common infosec expression goes, it is not a matter of if you will be compromised. It is a matter of when. Planning for incidents and testing beforehand will give you the power to reduce your likelihood of impact and reduce your damages incurred when the inevitable happens.
To be adequately prepared, organizations must develop an incident response plan and test that plan through tabletop exercises and other incident simulations such as Red Team and Blue Team engagements.
Don’t rely on your cyber insurance coverage alone to get you through an incident. Work with a trusted incident response partner before an incident happens. That way, you can understand where your soft spots are and develop a plan to fix those things.
Conclusion
Cyber insurance is still a relatively new offering for many insurance companies, and there will be variations in their contracts. I urge you to read the fine print and consider all of these key points covered here when choosing an insurance provider and negotiating a policy.
Know the specifics of your policy and what is and is not covered. Find someone who fits your needs and is willing to work with the partner that you trust in the event of an incident. Get to know your breach coach, and ensure your deductible makes sense for your organization. And don’t rely solely on cyber insurance to protect you in the event of an incident.
If you need help finding a qualified incident response partner, check out our guide on what to look for in a provider.