October 6, 2022
Cybersecurity Insurance – Understand Your Risks And Be Prepared
The insurance industry constantly faces cybersecurity threats (e.g. ransomware, phishing, new technologies, and third-party risks) due to sensitive information (e.g. financial/credit card information, protected health information (PHI) and Nonpublic information (NPI)) being used on a daily basis. The industry must prioritize cybersecurity investments to ensure their cybersecurity program and security posture can effectively manage risks, reduce threats and successfully achieve business resiliency.
Companies are asking questions about cyber insurance to determine whether they are spending cybersecurity dollars effectively. To address these inquiries, Greg Daniel and Kim Mobley sat down with Johnson Lambert’s cyber insurance broker, Dan Hudson, to discuss considerations for obtaining cyber insurance coverage, security requirements, and how to best prepare. Dan co-authored “Damage Control – Cyber Insurance and Compliance.”
Q. How does an organization prepare to obtain an appropriate cyber policy?
It starts with the amount of sensitive information that the organization stores in their systems, whether the systems are in-house, cloud based, or a hybrid, and who maintains them. Responsiveness to a hack and an understanding of cyber codes is critical on the front end. Without guidance from cyber lawyers and cybersecurity experts, dealing with an event on your own is risky. Consider selecting an insurance broker that specializes in cyber liability. Consult with the broker regarding the fundamentals of your system and related security. This will result in a recommended application to complete.
The application will be used to generate proposals from several cyber insurers. This will also likely include insurer feedback on how they view your systems. The application itself contains clues as to what is important to the underwriter. As hackers become more sophisticated, social engineering and ransomware attacks continue to rise. Many cyber insurance policies cover data breach investigation, cyber extortion-related expenses, forensic support and repair costs related to an attack. Be aware that premiums for cyber insurance policies are not going down.
Q. Is it correct to say that once an organization has a cyber policy, the carrier will pay the ransomware attack?
Not necessarily. Cyber policies contain a war clause or exclusion which specifies there is no coverage for any damages when the attack is considered “cyberterrorism”- any premeditated, politically motivated attack against information systems, programs and data that threatens violence or results in violence defined by the U.S. Federal Bureau of Investigation (FBI). In addition, cyber policies also need to comply with U.S. Treasury Departments’ Office of Financial Assets Control (OFAC) Sanctions list. If a cyber-attack originates from a OFAC sanctioned entity, the carrier, or you, legally cannot pay the ransom. As a result, you’ll likely have to do it the hard way, and rely on experts to recover your systems, then deal with the fallout of a compromise of client information.
Ransomware attackers generally require payments to be in cryptocurrencies. Organizations that do not have a cryptocurrency account should consider establishing one. Be aware that it may take up to a week to complete the due diligence process. That said, cyber insurers do have the ability to pay the ransom. There is no requirement that you maintain a crypto account, but it may lend you more flexibility.
Q. How common is it that an organization pays the ransom, but the cyber attacker does not provide access to data or system or still exposes the breached data?
Bad actors generally provide access to the systems and data once the ransom is paid. They cannot afford the outcome of not restoring a system. These attackers may have shared the data and leave malware within the systems once access is granted. It’s essential to have the cyber-security experts review the affected systems to determine the nature of the hack and understand the source and impact of the attack.
Q. What other considerations would you like to share?
Organizations should consider a cyber policy that includes a breach coach. This is generally a specialized cyber law firm that is retained by the insurer. The law firm maintains a 24/7 line for immediate action. They become the quarterback for your event. They advise on cyber codes, assist with retaining forensics and cybersecurity experts, then later assist with retaining vendors for notifications, credit monitoring services, public relations and business interruption determination. Some carriers provide a breach coach option in-house. Be aware that not all operate a 24/7 line. You’ll appreciate speaking with the right experts soon after you experience an event.
A cybersecurity insurance policy can protect an organization against cyber attacks and assist with the remediation of security incidents. Policies often vary between different providers. Management should review the proposed policy carefully to ensure the required protections and provisions conform to their cybersecurity strategy.
Cybersecurity insurance is one of the many cybersecurity safeguards that organizations include as part of an effective cybersecurity program. Johnson Lambert’s Consulting group can evaluate your core cybersecurity functions to address the continuously evolving cyber threat landscape.
The Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), CISA, NYDFS, and other federal law enforcement recommend against paying a ransom.
The views expressed by individuals are not necessarily those of Johnson Lambert LLP.