By Michael D. Moore
Don’t think that you are completely covered against catastrophe just because your company has purchased a cyber insurance policy.
If you don’t implement the required elements of your insurance policy, you will experience the five stages of feelings following a hacker stealing your company’s – or your own – money:
- Embarrassed – you don’t want anyone to know you’ve been a victim
- Shocked – you can’t believe it happened to you
- Relieved – you’re at peace because you had purchased cyber insurance
- Shocked again – you discover that your company violated the requirements of the policy
- Anger – you apparently did everything right… but only ALMOST everything
It’s a smart move to buy a cyber insurance policy. I’ve been preaching this for years, particularly throughout the pandemic, when finances have been crucial. But let’s take a look at what can go wrong with a cyber insurance policy.
- You fail to read every line of the document and miss out on the terms that render the policy useless. Example: You do not notice that you are required to notify your insurer if you experience a compromise of up to 500 records being breached, and that you must notify the media if the breach exceeds 500 records. You refuse and doing so violates your insurance policy.
- You fail to notice that this year’s policy terms differ from last year’s terms. While you attested to your diligence about cybersecurity training and technical procedures in the past, in 2022 you will need to provide proper documentation that you have followed all the procedures and that all controls are in place, with constant monitoring.
- This year, the burden of proof is on you, the insured, rather than the insurance company. You are now required to maintain meticulous records to prove that you are complying with ongoing cyber training and record-keeping.
- You overlook the fact that catastrophic coverage will be written in as an exclusion. Just when you feel covered for a massive event, you find that very event is excluded.
- You become uninsurable. When carriers notice that you have chosen to lack diligence in taking part in cybersecurity training, that you don’t implement two-factor authentication, or that you fail to maintain records that confirm your diligence, they are reluctant to take on such a risk.
In our company, we recognize when clients are placing themselves in peril by compromising diligence required by the insurance carrier. In those cases, we require the client to sign a Decline of Services Letter, which states that the client has objectively chosen not to fulfill some actions required by the policy and our recommended procedures.
The client is taking the risk that the hackers will choose someone else and leave the client alone. This client is rolling the dice.
We also realize that there will be great frustration whenever a hack might occur. The client will be frustrated at everyone involved, even though that client made the ultimate decision not to comply with the insurance protocols.
We have dealt with one client who has paid off hackers six figures on multiple occasions this past year because the company’s employees don’t want to deal with the hassle of insurance protocols. The company’s top executives feel it’s a cost of doing business that outweighs the potential of losing employees frustrated by the required diligence.
While you may hope that you are completely covered, you are unlikely to be. Once you ask your IT/Cyber team to open holes in your firewall so a client’s employees can work from home, you have opened a door that welcomes hackers to invade. By implementing procedures that create access easy for your employees, you have also made that access easier for hackers.
Your cyber insurance policy is a living, breathing document. Policies written in January will not have as many exclusions as those written in April, or July, or December. This is not the time to ask your IT team to review and interpret the legalese in this new document.
Commit your IT/Cyber team members to do what they do best – develop strategies and tactics to keep your company safe. Rely on your attorney to review and interpret the changes in new cyber insurance coverage.
There will be yet another change: cyber insurance rates will continue to escalate. We’ve seen premiums for identical coverage rise anywhere from 30% to more than 100% over 2021 rates, depending on the terms within the policy.
The ultimate solution consists of:
- exercising extreme vigilance: Comply with each of the terms within your insurance policy.
- being relentless in cybersecurity training: Teach your employees what a scam looks like, and how to report this concern, and refresh this training regularly.
- trusting your attorney(s) to thoroughly review insurance policies: This leaves your IT/Cybersecurity team the time to focus on what you’re paying them for.
Cyber insurance offers coverage for companies that comply with policy guidelines. Those wanting to fly alone, without regard to consequences, are playing a risky game!
Michael D. Moore is a cybersecurity expert and founder/CEO of M3 Networks in Southlake.