I’m going to start by scaring you. If you have a company or organization with more than ten people in it, and you don’t have cyber insurance in this day and age, you need to make a phone call and get insured right now. It’s THAT important.
And I’m not going to sugarcoat it – it won’t be easy.
When we renewed our cyber insurance policy last year, we answered 8 or 10 questions, the agent took it from there, and – PRESTO! – we were renewed.
Up comes 2022 and, who knew, there are now 4 to 8 PAGES of questions that seem directed to a rocket scientist. Your agent is no help, and your IT guy just shakes his head. Be legitimately fearful of answering a question incorrectly, because, when you submit a claim, the insurer could cite your answer, claim fraud or gross negligence, and reject your claim!
And you will be left 100% on the hook for whatever happens – lost income, ransom payments (really!), actual damages, lost customers… all on you. 100%. Because you didn’t answer a question correctly. Or because you haven’t REALLY been doing the thing that you said you were doing when you answered the question.
Qualifying for a cyber insurance policy today can be a challenging and tedious process. Gone are the days when a simple phone call to an insurance agent and selecting coverage limits lead to obtaining a policy. Today, due to the sharp increase in ransomware attacks and multimillion dollar payouts, along with stricter cybersecurity controls required by underwriters, obtaining cyber insurance is now an essential objective and corporate imperative for organizations, but not a certainty.
And that’s not the half of it.
Cyber insurance, like other business functions, is shrouded in its own myths.
One popular story is that organizations do not need cyber coverage because their other insurance will cover cyber events. That generally is not accurate.
Saying that again for emphasis – your regular business insurance most likely WILL NOT COVER A CYBERATTACK.
While some business policies might have a small amount of cyber coverage, it normally is insufficient to meet the very high costs related to cyberattacks. Popular business coverage, such as errors and omissions, key person insurance, general liability, commercial property, and other kinds of business policies simply are not designed to meet the specific needs of a cyber insurance policy.
Other than a standalone cyber insurance policy, there is no other policy that will cover you for data breaches, data misuse, ransomware, malware… everything that we’ve talked about and continue to talk about in our numerous posts about cyber security.
It is important to notify the insurance company immediately if you have a breach or ransomware attack, even if you plan to cover the loss yourself. During the investigation and mitigation process, the investigators might find additional damage you were not aware of from the attack. Additionally, all discussions with attorneys are protected by attorney/client privilege, so no secrets can be disclosed in case of a lawsuit.
Another myth to be dispelled is that insurance companies do not pay claims for cyberattacks. That is simply incorrect, as is the notion that filing a claim is difficult. If you avail yourself of the tools that are available, it is straightforward.
Ransomware is far and away the largest cause of cyber claims now. It is prevalent, but the cyber insurance does cover it. Ransomware itself can also be accompanied by data breaches.
If an attacker installs ransomware and at the same time steals data and essentially hold that data for ransom, you have two cyber actions — introduction of ransomware and a data breach with extortion. However, they are not necessarily two totally distinct events.
Do you REALLY need cyber insurance?
Do you have twenty thousand or fifty thousand or a hundred thousand dollars you don’t really need? Do you have it in Bitcoin? If your business is shut down for three days or a week or two weeks because you’ve been attacked, hacked, or shut down for ransom, will the business survive?
As I share in another post, “It is estimated that 60% of small businesses hit with a breach will close in the year following, with 90% closing by the end of the second year.”
You don’t want to be one of those statistics – and you certainly don’t want to be on the hook for the financial fallout.
A lot of organizations think, “I don’t need cyber insurance because my environment is secure.” But it isn’t just YOUR environment that you need to be concerned about. While your environment might be safe, you still need to be concerned with the safety of anyone who connects to your network – potentially your customers, third-party suppliers, services vendors, contractors and subcontractors, and even employees working from home. If any organization or person who connects to your network is hit by any kind of incident, you too are at risk.
There are many variables and tech talk to ensure your coverage will be there when you need it. If you need help weeding through the mess and making sure you have the policies and technology in place to appease the auditors and handle the risk, we’d be glad to have a conversation with you.