Cyber Insurance

clindell · 2016-08-12T17:46:19.000Z

Who has a cyber insurance policy for their business? What are you protecting and what were the requirements? Did you have to enact any internal policies to meet the requirements of the insurance?

Since our business is dependent on technology if an outage or failure occurred, were compromised with malware/ransom ware or another business service provider was compromised whom we partner with there could be significant financial risk to us and/or our customers. We are being proactive in protecting our customers as well as our revenue generation and are now in the midst of taking out cyber insurance.

What are your thoughts?

anon50130192 · 2016-08-12T17:51:35.000Z

Cyber insurance or not, offline backups are some of the best insurance you can get in the event of a malware/cryptolocker infection.

clindell · 2016-08-12T17:59:06.000Z

We have offline backups, the ins agent looking into this provided us a questionnaire, I want to find out if anyone else is doing this aside form the normal IT backups and best practices.

brycekatz · 2016-08-12T18:01:17.000Z

Depends entirely on your business.

For example, when I ran my consultancy, my business insurance covered hardware loss from various sources (including theft) and various liability coverages relating to my work as a consultant.

I had a manufacturing client with similar coverage who found out too late what their insurance didn’t cover. They had a catastrophic hardware failure on their primary LOB server that shutdown their operation for a day and a half. Their insurance covered the cost of hardware replacement, but not data recovery services, consultant fees, or the overtime labor costs required to make up for 36 hours of lost production. The costs associated with emergency data recovery ran around $95k (including a chartered plane to and from the nearest recovery center). Total loss was estimated between $300k and $500k. (Side lesson: When your IT person tells you to spend $3k on a new backup system, do it.)

Personally, I’d say you should consider relevant insurance coverage as part of your disaster recovery plan. What kind of coverage and how much coverage you’ll want to carry will depend on the impact a disaster will have. Simply signing up for $X of “cyber coverage” might (probably will?) miss the mark when the shit hits the fan.

marc92 · 2016-08-12T18:01:49.000Z

Pay close attention to what the insurance provides. A lot of Cyber Coverage these days will simply pay for things like credit monitoring and a PR firm to help with any questions from press or public. There are some that will pay for loss of use or loss of income, but they are kind of rare.

Most of the Cyber insurance is marketed toward companies that hold PII data rather than tech companies that are building tech solutions or in someway generating revenue from technology.

clindell · 2016-08-12T18:24:51.000Z

The policy we are looking at will cover losses in the event of disruption to our sales since it is in a defined timeframe with proven and repeated sales history over 30 years. For instance if we experienced a DDoS attack during our scheduled sales window or encountered any other unexpected outage that we had no control over we would be entitled to the differences in lost sales due to the event that caused the loss. Of course this is an over simplification but this is what our agent is shopping for and in the event of a privacy breach the policy has a PR firm handles the customer outreach. There is much more to this and I haven’t read through the entire policy however the agent and our GM have and felt it was very effective and at a reasonable cost.

johnmctaggart5616 · 2016-08-12T19:14:05.000Z

The policy may cover losses, but be really careful to read the fine print!

Odds are there are many “outs” embedded in the policy where the insurer can simply say that “due care” wasn’t performed and they’re not liable for damages.

brycekatz · 2016-08-13T11:09:56.000Z

CLINDELL:

The policy we are looking at will cover losses in the event of disruption to our sales since it is in a defined timeframe with proven and repeated sales history over 30 years. For instance if we experienced a DDoS attack during our scheduled sales window or encountered any other unexpected outage that we had no control over we would be entitled to the differences in lost sales due to the event that caused the loss.

If you’re concerned about loss of Internet-based sales, I think you’re far more likely to have issues due to an ISP outage than a DDoS attack. Keep an eye out for the “force majeure” clause. You’re unlikely to be compensated for loss due to, say, a drunk driver taking out a utility pole and severing an Internet service line.

jimmygrollman7529 · 2016-08-14T07:20:08.000Z

Read the details. We have this type of insurance as an ‘add-on’. The requirements were simple:

firewall up to date and patched.
endpoints to have AV that is at least updated weekly.
backups that are at least completed weekly.

All of which we already met. By far.