Written by: Daniel Poucher
Cyber Insurance in 2023
Cyber insurance has become an absolute necessity for companies, financial institutions, healthcare, software as a service organizations, and many other entities wanting to insulate themselves during a cyber-attack. In 2022, security incidents were at an all-time high with carriers paying out associated claims. Policy premiums are increasing due to the demand on the market, in some cases by as much as 50%. Rising providers’ premiums driven by expected losses are making it challenging for entities even with mature security postures to find coverage. Organizations that decide to go without coverage could be exposing themselves to threats of extended downtime and large monetary impacts.
Coverage Options
With the variety of coverage options being far from standardized, what are some important considerations?
At a minimum, policies should cover the following:
- Data breaches that could involve theft of client, patient, or customer data
- Security incidents that involve data stored offsite by third-party service providers
- Network breaches by threat vectors from domestic and foreign origins
- First-party and third-party coverage
Also consider if your cyber insurance provider will:
- Coordinate with external stakeholders such as regulators or law enforcement agencies.
- Cover the loss of revenue experienced during a breach.
- Issue public relations (PR) statements on behalf of your organization.
- Provide acceptable payout amounts comparative to policy deductibles.
- Provide breach coaches or forensic analysis to assist in investigation, containment, or eradication of a threat vector.
- Provide legal representation if litigation is filed against your organization.
Questions to ask about your cyber insurance policy include:
- Are the appropriate personnel at your company aware of policy details?
- Are there new requirements?
- Has your organization performed testing or exercises that incorporate the policy resources?
- What are your requirements for renewal?
- What resources are available to leverage?
- When are you supposed to notify your carrier?
- When does your coverage expire?
- When is it too late to notify before coverage is lost?
- When was the last time your organization reviewed your policy details?
These questions should resonate with most policy holders. It is common for some to be unanswered, yet it is imperative for entities to intimately focus on policy details to ensure an effective response capability during a breach. It is common for organizations to purchase coverage only to be unaware of leverageable resources that may structure how your organization responds to a breach.
How Outsourced is the Response?
The details inside cyber insurance policies can be easily overlooked. It is important to be familiar with policy details that can assist the response effort. These details should also be evident in your entity’s incident response plan. A well-structured plan will follow industry best practice frameworks, such as the NIST Computer Security Incident Handling Guide that allows organizations to frame a program that considers every component of the incident response lifecycle.
Every organization’s incident response program should be customized based on how the network is engineered and what coverage options are available in the cyber insurance policy. Depending on the type of coverage, organizations may only be responsible for notifying their carrier of a breach, with the carrier performing most of the breach coordination and forensic analysis. Often, detailed conversations do not occur with representatives from carriers and the policy holders themselves. Conversations that bring clarity to the role of the carrier once they are notified of a breach may save organizations time, resources, and stress.
“You should never hand out a business card at a disaster.”
Connecting with additional stakeholders like managed service providers before a breach occurs allows various parties to become more familiar with how response efforts will be deployed during a breach. Information gathered from these conversations will affirm that your incident response program considers all angles, resources, and potential outcomes.
Ongoing Effort
In today’s cyber threat landscape, building your information security program and incorporating an actionable program with appropriate teams, testing, and meaningful training can sometimes be daunting tasks. Achieving strong governance over the program with assignment to a C-Level Executive such as Chief Information Security Officer (CISO) or virtual Chief Information Security Officer (vCISO), will provide consistent momentum under the program’s ongoing maturity.
It is important to maintain a schedule for your program to ensure there is adherence with regulatory guidelines and/or industry best practices. Tracking performance for the program could be executed by way of penetration or threat emulation testing, tabletop exercises, or in-depth audit reviews. Reviewing lessons learned from testing and exercises will only strengthen your organization’s documentation. Most importantly, the program should never become siloed.
Lastly, cascading events can occur due to cyber incidents which could lead to connectivity issues, unanticipated loss of staff, or business relations. It is crucial to ensure that all documentation in the organization, such as business continuity plans, emergency management plans, and incident response plans complement one another and will safeguard a structured response from both technology professionals and business line management.
