Watch: Current Trends in Cybersecurity Insurance

Date October 26, 2022
Categories
Article Authors
William J. Heaven
William J. Heaven

Highlights of the October 26 HBK Risk Advisory Services webinar hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director; and featuring Joseph E. Brunsman, MSL, President, Brunsman Advisory Group

Watch On Demand.

Understanding cybersecurity insurance policies:

Insurance companies have not done a good job simplifying understanding of their policies for people.

There are hundreds of different policies, all different and complex. The best policy for you depends on your business, your internal controls, your cybersecurity controls.

Insurance salespeople have no legal responsibility to explain their policy to you or even understand it themselves– the onus is on the business owner to get the right policy.

Two sides of coverage for consideration:

-3rd party coverage: your clients, vendors, other parties, someone getting money from your business

-1st party coverage: coverage for you, the money your business has to pay, needs to pay, wants to pay after a cyber event

What might actually be covered: four buckets of types of coverage or coverage inclusions. First bucket is 3rd party coverage; all others are 1st party coverage:

-Data breach: access and acquisition of covered information (social security numbers, drivers license numbers, etc.). What you need:

  • Attorney
  • Forensics: nothing stole or proof of exfiltration of data
  • Hacker damage
  • Notification
  • Credit monitoring
  • Business interruption reimbursement
  • Regulatory fines and penalties

    • -Ransomware

  • Attorney
  • Forensics
  • Ransom payment
  • Hacker damage
  • Business interruption (average is 22 days of system being down in part or full)
  • Notifications
  • Credit monitoring

    • -Loss of funds – have to be specific on what you’re buying

  • Cyber crime
  • Wire fraud
  • Push payments
  • Reverse social engineering
  • Social engineering fraud

    • -Miscellaneous and often missing: ask stakeholders and what is most concerning

  • Crypto-jacking
  • Bricking
  • Systems failure/business interruption
  • Utility fraud
  • Invoice manipulation
  • Dependent business interruption
  • Dependent system failure
  • Customers’ accounts
  • PCI/DSS
  • Media liability
  • Voluntary shutdown
  • Business interruption/PD 1st & 3rd party

    • Important changes occurring in cyber policies: work with CFO and plan expenditures ahead to avoid a gap in your policy

  • Stricter control requirements (backups) – need a vulnerability assessment to determine what you need
  • Insurers cutting off specific industries often at certain revenue thresholds
  • Hardware/software acquisition is possibly a time-sensitive issue
  • Caps on “widespread” events
  • Co-insurance/deductible requirements on ransomware
  • Lower limits and supplements

    • Critical vulnerability exclusions:

  • A patch with a CV-1 score of 8 or more must be implemented within 14 calendar days of issuance
  • Not covered: old hardware and software exclusions
  • Spying/monitoring remote workers; talk with an attorney about cyber implications for remote workers
  • “Zero-day” exclusions: almost no way to counter a zero day attack

    • Cyber coverage is increasingly being required; increasingly seen in contractual agreements; best to get insurance now before your industry requires it.

    Office of Foreign Assets Control (OFAC) guidance: If you pay a ransom you might risk violating OFAC regulations by providing ransoms to sanctioned persons in sanctioned countries, therefore a national security issue. Even though you have coverage for ransomware. OFAC can impose uninsurable civil penalties. And because of the war in Ukraine, more sanctions are being applied every day.

    Moving forward:

  • Determine what your firm will require.
  • Plan your changes and budget accordingly.
  • Work with your MSP and IT staff.
  • Refer to CIS Top 18 controls.

    • Why insurance will force an increased budget:

  • Rates up 40 percent due to the frequency of ransomware attacks
  • Increased frequency of all types of attacks
  • Two ways to increase your cyber budget: the hard way
    • Post-breach, via breach notification letters: enhancing security after a breach or you could be liable for legal action
    • Regulatory mandates: knowing the cybersecurity laws that apply to you and what you need to do to comply; government could require reasonable cybersecurity protections in place
    • Cyber insurance renewals: justification required of what you’ve done to mitigate a repeat of that event; required to adhere to insurance directives to get insurance; much more comprehensive and demanding applications

    Two ways to increase your cyber budget: the easy way

  • Voluntary: working with a professional on a vulnerability assessment and having a plan of implementation; identifying the greatest level of safety you can afford; working with your MSP and IT professionals
  • Working with competent legal counsel to assess your legal requirements; making sure you have the right insurance policy

    • Security is a journey not a destination.