John Bolden, Chief Information Security Officer, sits down and opens up about cyber insurance. Learn about premiums, lost revenue, recovery of hard and soft assets, and much more.
As I mentioned in my previous blog on ransomware statistics, cybersecurity insurance can be a vital step in preparing your business for an incident. When buying cyber insurance, however, there are many factors to consider and roads to navigate to ensure you’re effectively covered.
First off, everyone wants to know what their overall cost will be. Insurance companies don’t neatly break this information down, though, so suffice it to say that you must ensure you have a way to recover your data should you lose it. If you face an event where you are re-imaging machines, recovering data, and maybe drawing data back down from an off-site resource, keep in mind that all of these critical actions take resources to implement, whether it’s a paid service or something that you’re doing in-house.
The good news is there’s an insurance policy that covers those types of activities. But be sure to read the fine print. Here are some cybersecurity insurance policy types to consider.
Coverage for loss of productivity. One company we were helping thought that they were in especially good shape because they had cyber insurance to recover their data. They also thought that they were covered for loss of revenue or loss of business. It turns out that their insurance policy only covered them for 10 hours of downtime. If you think about how much revenue you generate on a daily basis for your organization, covering only 10 hours can leave you with a monumental gap when trying to resume operations. About 34% of companies that get hit with such an attack take a week or more to regain control of their assets to resume 100% business functionality or even just a skeleton level of operations to conduct the bare minimum of business. That is a scenario you do not want to face.
Make sure that you have the proper insurance to recover beyond equipment and software. There are many instances where data is gone and people try to do a recovery only to find out that they don’t have their license keys or they don’t have the ability to install the software that was taken down. So, it’s important that you have coverage for that as well.
Privacy Laws and the Media:
Depending upon what type of business you’re in and where you’re conducting business, you could be faced with privacy and modification laws. You need to ask whether you are covered in dealing with the media. For example, do you have to make a statement about what was lost from your network or what may have been compromised? There are rigorous legal standards today that you need to be aware of.
In some cases, the equipment is so exploited or the event so bad that you will never be able to trust the device again. Some people will just buy new equipment to get back in service, but is that equipment covered and set up properly? Do you have a plan in place to recover that data, bring it back into production, and start doing business with customers and allow your employees to perform their jobs? The integration of new equipment into the IT environment is equally important to consider.
Pay the Ransom
There are also insurance policies that cover you should you contemplate paying the ransom, especially if you find yourself in a position where you do not have a backup that you can rely upon and you do not have the resources to perform a bare-metal restore on your entire infrastructure. Some insurance coverage will take care of the negotiations and help you navigate the ransom payment process. And if there are legal ramifications, insurance companies may help you contact law enforcement or other oversight entity. Ensure you have this type of coverage.
There are also ransom insurance policies. You may have normal cyber insurance, and then you can have enhanced cyber insurance services with more flexibility. When considering these policies, be aware that some underwriters will dictate who you can use as a resource to help you recover from an event. Such restrictions might preclude you from leveraging partners and vendors that you’re comfortable with, have a relationship with, or even already house some of your assets or information.
And that list of “approved” companies can be completely arbitrary, depending on deals made between providers and underwriters as opposed to merit. Therefore, you’ll want to make sure that you have your options in front of you: who you can go to and who you can count on, and how you would recover those losses should you have to make that type of engagement. And remember that this engagement doesn’t have to be with a third party. You might have staff in house that are capable of helping you recover; however, you’re likely going to incur a 50, 60, or 70% increase in overtime hours and money spent in recovery. That obviously hits the bottom line and you need to have a plan to address it.
Talk with your team and a trusted IT advisor if necessary to determine which types of insurance are right for your organization. There’s nothing like finding gaps in your insurance after a security event has occurred to add extra misery to an already stressful situation.
Thank you for trusting us to help with your cybersecurity needs.
Contact us anytime, we’re always happy to help.