The Top 3 Misconceptions About Cyber Insurance
November 22, 2022
When it comes to cybercrime, Cyber Insurance is one of the most important tools you can have in your arsenal to protect your business. But while a dedicated policy can help you respond and recover, it’s not a catch-all for every cyber-related risk out there.
Like any other contract, Cyber Insurance has limitations surrounding what’s covered—and what’s not. Some policies might exclude certain types of attacks, whereas others may have specific breach reporting requirements for coverage to apply. And if you don’t read the fine print, your claim could be denied unless it meets your policy’s exact terms and conditions.
With the average cost of a cyber claim for small business owners at $149,000, losing out on insurance when you need it most won’t just be inconvenient or stressful; it could be financially devastating, with massive repercussions for your long-term growth. To help you make the most of your coverage, here are three common myths about your cyber coverage and what you can do about it.
1. Once you apply, you’re in.
As cybercrime grows in frequency and scale, it’s becoming harder than ever to qualify for Cyber Insurance. After years of attacks and higher-than-average claims payouts, insurance companies are being more cautious about what kinds of risks they’re willing to accept. Now, they’re mandating baseline cybersecurity controls for all clients. They’re using third-party tools to scan your servers and better understand your network security. And based on what they find, they’re not offering coverage, restricting coverage, and raising premiums for anyone that doesn’t meet their requirements.
While every insurer will have different standards, most are requiring multi-factor authentication (MFA), encryption of all data in-transit and at-rest, offline backups, and regular security awareness training at minimum. Without these controls, you won’t be able to rely on Cyber Insurance to cover your losses. Even worse? These requirements are likely to get stricter with time as we continue to see a steady and aggressive influx of cyberattacks.
The good news? You can control what your insurance company knows about you. How? By routinely scanning your networks. This way, you can get a sense of your threat environment, identify security gaps that could lead to compromise, and proactively work to address them and minimize the overall impact of a breach.
Plus, scanning your networks won’t just help you improve your overall security posture; it’ll help you control your insurability—and your insurance costs—long-term. Whether you’re shopping around for your first Cyber Insurance policy, or renewing your existing one, you can see how you measure up before insurers do and correct any issues that could disqualify your application or cause your premiums to spike. You can show that you’re taking all steps possible to protect your business. You can retake control of the insurance process and stay one step ahead.
For maximum protection, consider ISA’s Cyber Insurability Assessment, a comprehensive scanning service offered by our partner ISA Cybersecurity. Once you sign up, you’ll receive a monthly report that evaluates your systems, flags vulnerabilities, and outlines a strategic action plan for improvement. While you can subscribe at any time, we recommend signing up at least 6 months before your existing Cyber Insurance policy expires so you can manage your timelines and make changes well in advance of renewal. To learn more about this service, click here.
2. Your policy covers third-party providers.
These days, most companies rely on cloud services providers (CSPs), like Amazon Web Services (AWS), Google Cloud, Microsoft Azure, and more, for critical business functions; however, there are many misconceptions about the level of protection they truly offer. Although cloud-based infrastructures are built for maximum security, most CSPs will only provide the services you pay for—and the security is only as good as the controls you choose to set up.
MFA, encryption, backups, and all the tools needed to fully protect your network—the tools insurance companies are most concerned about—aren’t automatically included in the basic terms of your contract; you have to “opt-in” for an extra fee if you want more protection. Simply put, your CSPs give you a bank vault to store your digital assets. But if you set the combination on the lock to something simple like “1234,” it doesn’t matter how thick the walls are—criminals still have an easy way to get in.
Additionally, using a CSP or other third-party provider to collect, store, process, or otherwise handle confidential data doesn’t transfer your liability in the event of a breach. Under Canadian privacy laws, you’re still responsible for safeguarding client data—and you’ll be liable for any damages, even if you weren’t technically at fault. As a result, most CSP contracts are structured to hold the CSP harmless in the event of a breach on their end.
How does that affect your insurance? Most Cyber Insurance applications include questions about the minimum standards of protection in place for third-party tools. If you haven’t fully reviewed your agreement, you might indicate that you have a higher level of security than you paid for. But if there’s a claim and your insurer finds out you didn’t actually subscribe for any extra security services or didn’t adequately configure your administrative controls, your policy won’t kick in and you’ll have to shoulder the costs out-of-pocket.
Thoroughly review your agreements with all CSPs. Pay attention to the specifics and customize the security to your needs. Make sure your contract addresses the following:
- Data security needs vary between industries. Is the CSP compliant with the specific privacy and security needs of your organization and industry? How experienced are they with your industry?
- Where is the data stored? While your provider may be headquartered in Canada, it could use server space in multiple countries. Depending on the location, this may mean reduced security standards.
- Is there a hold harmless agreement? Who is responsible for a breach?
- Has the CSP had a security audit in the last year? If so, will they share the results?
- Are there resources in place to back-up data and ensure that there won’t be any permanent loss?
- How soon can data be restored? What kind of support will you receive if you run into any issues?
- How soon will you be notified if a breach is detected?
If needed, consult a cybersecurity expert or legal specialist for more guidance.
3. You can set it and forget it.
The cyber landscape is ever-changing. From phishing, to ransomware, to supply chain attacks, to quantum computing, hackers are getting more creative by the day and soon the rate at which they evolve will outpace the rate at which we can implement safeguards. Simultaneously, breach fallout will continue to intensify, with greater regulatory scrutiny, higher remediation costs, and increased reputational harm.
Additionally, as your business evolves, your risks will evolve too, and that includes your cyber risks. That means the policy you got when you first started out won’t be enough as you take on more clients, roll out new systems, expand into new markets, and hire more staff—simply put, as your attack surface widens. And if you don’t manage your cybersecurity or your insurance as you go along, your coverage will quickly become outdated, leaving you exposed to hefty breach costs, profuse litigation, and lost business.
The truth is: you’re never finished with cybersecurity—or with Cyber Insurance. The fight against hackers is never ending and despite your best efforts, you could still experience a breach. To keep up with the shifting nature of cybercrime, it’s critical for all businesses to be proactive, vigilant, and agile. Even if you have safeguards in place, you need to continually reassess your cyber risk management strategy, adapt your practices, and invest in tools that help you prevent and detect attack.
In addition to your cybersecurity strategy, you should also regularly update your Cyber Insurance policy as new threats arise. Keep your insurance company in the loop and let them know when you make any big changes, like partnering with a new CSP or collecting new types of data. Then, depending on your needs and risk profile, you can remove unnecessary coverages, add enhancements, increase your limits, and make other adjustments as needed so that you’re always protected for the best value possible.
The Bottom Line:
A comprehensive Cyber Insurance policy is critical to help you offset your losses, restore your assets, and get your business back online following a breach. But unfortunately, many companies don’t even consider buying it until they have a reason to and by then, they’re in a rush. With a tight timeline and cash flow, most businesses opt for the cheapest policy available with the minimum requirements needed to check their boxes. As a result, most businesses also don’t have coverage that really fits their needs.
While no policy is 100% foolproof, working with a licensed broker—like PROLINK—can help you get close. With over 40 years of experience and a specialized knowledge of cyber markets, PROLINK is ahead of industry trends. We can share what steps others in your industry are taking and help you become resilient in the face of attack. Our dedicated team of risk advisors will:
- Identify cyber perils, attack scenarios, and any potential losses based on your business operations and unique needs and;
- Conduct a robust risk assessment of your existing insurance policies to detect any coverage gaps;
- Stay on top of emerging threats, legislations, and innovations that could affect you;
- Adopt a proactive approach to risk management to control your costs long-term; and
- Align you with specialized Cyber Insurance and risk management solutions, tailor-made for strategic objectives and budget.
With greater visibility into your risk landscape and a dedicated partner by your side every step of the way, you can confidently stay ahead of the curve, no matter the threat. You can focus on what’s most important: your business. To learn about your exposures—and how you can protect yourself—visit our Cyber Security & Privacy Breach Toolkit and connect with PROLINK today for more guidance!
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.