The Basics Of Cybersecurity Insurance Protection

In 2014, the Insurance Services Office issued a standard exclusion for cyber breaches for the commercial general liability (CGL) policy, and many, although not all companies have incorporated this exclusion. For small businesses, it is possible to get an endorsement added for the cyber exposure. Even a medium-sized small business could benefit from a separate cyber policy.

The accounting firm Ernst & Young recommends the following to obtain reasonable premiums:

• Review, assess, and where applicable, fortify your cybersecurity infrastructure. To qualify and obtain reasonable premiums, companies must have a demonstrably strong IT security infrastructure.
• Complete the policy application thoroughly and truthfully. The policy application will go through a long list of questions about IT security infrastructure, company practices and any past breach events. Any inaccuracies or inconsistencies could render claims uncovered or lead to potential policy cancellation.

Cyberterrorism insurance coverage may also be available through the U.S. Government Terrorism Risk Insurance Act (TRIA). Purchasing this as part of a standard liability insurance policy is may be option to consider. However, to qualify for such coverage of an incident, the U.S. Department of Homeland Security and other government agencies have to certify the incident as an act of terrorism. A common misconception is that the data storage provider you use - for example, the cloud server or internet service provider (ISP) - is ultimately responsible for the information in their system. However, your company may also be responsible and liable for the data it collects. Ultimately, data storage providers may only be responsible for securing that data. So, if their security is breached, your company's (and your customer's) data is still its responsibility. Most cyber insurance carriers offer different various policy coverage options - there's no "standard package" for cyber insurance. Below are some cyber policy options that your company might want to consider for its business.

• Accident Options-  For example, a network power outage caused by an attack is a real risk that is insurable.
• Business Interruption Option-  There may be a risk to your businesses when an attack results in a company's vehicles or IT systems being completely or even partially disabled.
• Regulatory Option-  This option provides cyber coverage for regulatory investigations and potential fines. (Also, review if your business may be at risk from of any claims arising under the European Union's General Data Protection Regulation (GDPR).
• Crime Coverage Option-  Some risks such as phishing and social engineering may be covered under both crime and cyber policies. It is important that a business have a non-cyber crime policy that is in synchronization with its cyber policy.
• Business Protection Option-  This option helps a business cover the costs of a forensic investigation, a privacy attorney, notification and public relations, etc.

One of the key differentiators for insurance companies is the amount of knowledge and feedback they are willing and able to provide the insured to help prepare and train its customers to avoid cyber losses. The vast majority of exposures and insurance coverages relate to financial transactions, ransomware, business interruption, stolen identification and recovery costs. Understanding the relative risk involving telematics and information related to vehicle maintenance in the grand scheme of potential cyber exposures is also important.

The following is a list of things your company can do to secure its information and improve its posture for cybersecurity insurance planning:

• Use strong passwords to secure your accounts.
• Develop a policy for use of external devices (computers or devices such as thumb drives, smartphones and mobile devices that are not the property of the organization) connecting to your company network.
• Beware of phishing and social engineering tactics trying to obtain your personal data.
• Conduct online business transactions only at known trusted sites/companies.
• Do not use a public computer or public wireless connections.
• Change the default password on your admin accounts and always run computers in an non-administrator or non-admin mode unless otherwise needed.
• Regularly update your systems and software to keep up-to-date.
• Protect your mobile devices. Establish a password and enable screen lock or auto lock on all devices; change the default password for connecting to a Bluetooth-enabled device; encrypt data and data transmissions whenever possible.
• Enable a firewall on each of your organization's computers.
• Enable anti-virus and anti-spyware programs on all devices. It is also very important to keep these up-to-date by keeping the license active and the program set to auto-update.
• Secure all wireless networks by enabling encryption; change the default password, and change the Service Set Identified (SSID).