What to Know About Cybersecurity Insurance
As adults, we insure our investments from cars to homes and even our lives. Business owners buy insurance for a multitude of purposes, but many have never considered or even heard of cyber insurance.With the ever-growing number of cyber threats businesses face, it only makes sense to invest in cyber insurance, especially given the average cost of a breach now exceeds $3 million. Here’s a look at cyber insurance, what is covered, and what you need to do to make it stick.What is Cyber Insurance?Cyber insurance covers a business’s liability in the event of a cyberattack such as a data breach. Typically when a breach occurs, sensitive data belonging to customers, employees, and partners such as social security numbers, credit card and account numbers, health records, and other personally identifiable information (PII) can be stolen and used for nefarious purposes.Additionally, hackers can access email accounts and reroute financial transactions or create false identities pretending to achieve internal access to information or funds. This makes it easy for them to reach into a business and steal money.General liability insurance traditionally only covers property damage and bodily injury resulting from products, services, and operations involving a business. Most general liability policies exclude cyber insurance.What Cyber Insurance CoversIn most cases, cyber insurance covers a variety of expenses. Speak to your insurance carrier to determine exactly what your cyber insurance policy covers. Most cyber insurance policies cover costs associated with:
- Legal fees and expenses
- Notifying impacted customers, employees, and partners about data breaches
- Restoring the personal identities of affected customers, employees, and partners
- Recovering compromised data
- Repairing damaged computer systems and networks
Why Businesses Need Cyber InsuranceMost states now require businesses to notify customers if a breach occurs that involves PII. This can be an expensive process. Though most states don’t require the breached business to provide free credit monitoring for a time following a breach, it is often recommended as a way to improve a business’s image. Such monitoring can also be quite pricy over time for a large number of people.The cost of recovering from a data breach can also be costly in terms of getting systems back online securely with the least amount of downtime. Data recovery can also be expensive even when proper backups are in place. Computers may need to be updated or replaced and cybersecurity may need to be updated as well.If money is stolen through redirection, false invoicing, or other methods, that too can be quite costly. If you have the right cybersecurity measures in place, cyber insurance would cover a business up to the given amount listed in the policy. Another consideration is many people are still working from home, even post-pandemic. Remote work has cost businesses an additional $1.07 million in breaches, according to IBM’s Cost of a Data Breach Report 2021.Cyber insurance can help cover the costs associated with a breach or other cyber event such as a ransomware attack. Without cyber insurance, a business would bear the brunt of these costs alone.Why Audits MatterA chief financial officer (CFO) for a financial investment manager called ORAM recently for assistance with his company’s cybersecurity. The company was going to make an early-stage investment into another firm. Unbeknownst to the CFO, a bad actor was accessing his email remotely. The day of the deal, the hacker changed the wiring instructions and was wired $750,000. The money is gone and the odds of them getting it back is zero.In this particular instance, cybersecurity insurance would not have paid the claim because there is a minimum requirement of multifactor authentication for email. This is a scenario that is completely avoidable with a small investment in having a cybersecurity audit conducted and implementing basic cybersecurity. The audit would have identified security gaps such as the lack of multifactor authentication on the company email and solutions to fill gaps would have been offered, preventing this scenario to begin with.Speak with your insurance agent and find out what a policy requires of a business for coverage to pay a claim should the worst occur. The insurance company may require minimum cybersecurity best practices to be met, proof of an annual cybersecurity audit, or even dictate specific security measures such as firewalls and multifactor authentication be utilized. Share this list of requirements with your IT department and/or your third-party cybersecurity partner such as ORAM Corporate Advisors so they are aware of what needs to be done.Implement Cybersecurity Best PracticesOne of the most important things your business can do in addition to conducting an annual cybersecurity audit is to implement cybersecurity best practices. Here are a few cybersecurity basics every business should institute immediately:
- Change your passwords for logins and use unique passwords for each system or application. Employ a password manager such as LastPass to keep track of passwords. Require every employee to do the same. Passwords should be at least 12 characters long with a mix of numbers, special characters, and capital and lowercase letters.
- Use multifactor authentication. Ensure systems are using software that requires staff, customers, and partners to use multifactor authentication to log in. This helps prevent unauthorized access and significantly reduces the odds of a breach.
- Train every employee on an ongoing basis. It is much easier to prevent an attack than recover from one. Employees are your first line of defense. Teach basic security practices, personal cybersecurity, and the prevalence of cyber threats. Such training should occur at onboarding and every six months.
- Secure your WiFi. Ensure WiFi networks are encrypted and hidden from public view. If employees work from home, ensure they have encrypted internet, too.
- Ensure software is updated. From anti-virus to firewalls, ensure all security software is updated regularly and patched automatically. This is also true for software and firmware your business depends on daily. Think in terms of security layers.
- Secure physical devices and workspaces. Set the auto-lock feature on every company device. Every device should be secured with an individual pin or password. Have a policy about what can be printed and kept and how it should be stored. Ensure every employee knows and abides by the security policies in place.
- Plan ahead. Have a plan in place should a hack occur. The Federal Communications Commission (FCC) has a free Cyberplanner online or contact a third-party organization such as ORAM to help build a plan.
- Know your business. When it comes to your business, know what data it holds bad actors may want. Identify why your business may be a target, then secure it.
- Back up everything. If your data is being backed up in the cloud, hackers will be much less likely to disrupt the flow of business operations. With offline backup, businesses can bounce back quickly.
- Know the ABCs of cybersecurity. The ABCs are simple: Always Be Cautious. Don’t click suspicious links or open emails from unknown/untrusted sources. Every email, link, and attachment should be carefully scrutinized.
For more information about cyber insurance, cybersecurity best practices, or conducting a cybersecurity audit, contact ORAM Corporate Advisors today at (617) 933-5060.