The growing risk and disruptive potential of cyber-attacks are making cyber liability insurance (CLI) increasingly relevant to many businesses. CLI offers a way to mitigate financial risk and (if done well) create a “safety net” to improve resilience should a data breach disrupt your operations.
But like any insurance policy, cyber liability insurance requires you to take “reasonable care” to reduce vulnerability and risk. To avoid denial of a claim, nonrenewal or outright cancellation of your policy, you need to align your InfoSec policies and procedures with the terms of your CLI.
Cyber Liability Alignment Checklist
Are your current security practices and day-to-day business activities in compliance with the terms of your cyber liability insurance policy? Here are five key steps to help ensure alignment:
1) Provide security awareness education.
All employees, especially those involved with sensitive data, need to be educated about security issues and follow security policy. Your CLI may even mandate that you provide security awareness education because of its importance in reducing cyber risk.
2) Ensure that business decisions don’t violate security policy.
Decision-makers need to be aware of how their actions could violate security policy and negatively impact the company’s security posture. Otherwise, they may unknowingly invalidate your CLI.
For example, executives should inform the Chief Information Security Officer (CISO/CSO) before moving sensitive data to the cloud. Moving data off on-premise servers could not only increase cyber risk, but also invalidate insurance coverage for that data, depending on whether the policy covers cloud-based data.
Any change to a business process that accesses or shares sensitive data should be assessed in relation to InfoSec policy and CLI. Even just automating a currently paper-based process could increase cyber risk and/or violate the terms of your cyber liability policy, for example.
3) Understand and communicate how your CLI addresses ransomware attacks
Some cyber liability insurance policies cover ransomware payments; many do not, or the coverage may be limited. The projected $275 million CLI payout to cover a portion Merck’s exposure to a June 2017 ransomware attack is a well-publicized case in point.
It’s likely your policy has specific terms regarding ransomware, which employees need to know and follow in the event of a breach. Immediately notifying the CLI provider and the CSO/CISO of the breach and any ransom demands is especially critical. Limiting payments to specific cryptocurrencies may be another cyber liability stipulation.
While ransomware has become the fastest-growing cause of CLI claims, paying a ransom, especially before contacting the insurer, can nullify some policies. That would mean the event was not covered and the policyholder would receive no compensation for losses or costs. Insurers may view ransom payment as a “last resort” and want companies to do all they can to recover the data first.
4) Align mobile/BYOD policy with your cyber liability insurance
Because mobile endpoints are frequently less secure, some CLI policies may not cover data stored on mobile or remote devices to the same degree that they protect data stored “behind the firewall.”
Security and business decision-makers need to know the specific circumstances under which their cyber liability insurance policy does and does not cover mobile devices and data, and either align the mobile/BYOD policy with the coverage or negotiate more appropriate coverage.
5) Collaborate with your insurer when you implement new security controls
Cyber liability policy providers often have extensive cyber security experience and knowledge that they are more than willing to share to reduce your risk—and theirs.
Security leaders should take advantage of this expertise and consult with their CLI provider to put recommended solutions in place, align with best practices and/or ensure that plans for implementing new controls comply with the CLI. It may even be possible to negotiate premium reductions for improving your security posture.
If you have questions about the benefits of CLI for your business, or want to improve your security posture to reduce CLI premiums or obtain coverage, contact Pivot Point Security.