We have been presented with a quote for cyber liability insurance. I’m not fully sold on it yet and wondering if anyone else is looking into it and/or if they have recently opted for a cyber insurance policy and the reasons why you decided to move forward. We are currently in process of upgrading all firewalls and endpoint protection and changing policy to reduce our risk. But we also don’t conduct business online or store any sensitive client information so I don’t really see how having a policy like this would be beneficial.
Thoughts?
4 Spice ups
rockn
(Rockn)
2
We have it, but there is a pretty large deductible, but we do receive a discount on the premium if we have a Security Awareness sessions for our users.
2 Spice ups
Do you mind sharing what industry you’re in? What helped your decision to move forward with having an insurance policy in place?
ross
(Ross42.)
4
Like the rest of insurance, seems like a legal for of racketeering.
dszulc
(Viper One)
5
We just bought it.
We are working on getting a discount by getting us the Cyber Essentials Certificate.
My bosses prefer to be safe than sorry.
Being in Housing industry and keeping a tone of customer data - reasonable idea. Might get costly if there is any data leak
rockn
(Rockn)
6
We are in the construction industry. This was a decision made by the CFO and our Insurance company.
dwhipps
(Dwhipps)
7
My organization is non-profit, and we have a form of it. Granted, we collect and maintain a certain level of important information that could result in legal issues were it compromised. That’s the reason we obtained a level of such insurance.
lf you aren’t liable for things, don’t get insurance protecting your liability. I didn’t even know this was a thing, but it doesn’t surprise me.
Continue with solid security and hopefully go beyond ‘firewalls and endpoint protection’.
aking3
(weezon)
9
How could this be decided without a Risk Assessment?
2 Spice ups
Look at what it would actually pay out for, and what it wouldn’t cover if your company was found to be at fault…
1 Spice up
This was planned after the Meraki router and endpoint security projects are complete, but great suggestion!
bsvec
(Brandon Svec)
12
We just bought it a professional liability policy. My understanding is there is really no such thing as specific ‘cyber liability’ insurance it is just a marketing term to sell professional liability insurance to tech companies. The policy we purchased covers about everything bad that could happen up to 5 million dollars and the main reason we purchased was as a requirement from a MSA (master service agreement) that we entered into with a large company that required we hold it. Some people/companies like to be overinsured and there is nothing wrong with that. It is just a cost/risk balance that a person or company are comfortable with. Most insurance is something you hope you never need, but if you do are glad you have it.
bsvec
(Brandon Svec)
13
I would say this is not the important consideration. The consideration is more, “Could we ever be sued/found liable for making a mistake of any kind?” The answer to that is generally yes…
I work for an MGU insurance company and we offer Cyber Liability as a standalone product, and embed it into some of our other products. I help develop eLearning modules to educate our insureds and lower risk, hopefully, evaluate claims that come in and help with planning the overall programs . . applications, etc, as well as oversee our cybersecurity program pursuant to recent NY state regulations for financial firms of a certain size.
Insurance, in general, is a form of transferring risk best used as a risk treatment for cases in which the damages are potentially very high, but the chances of it happening are low . . . like a flood, fire, etc. Remember that insurance is there to get you back to where you were before the disaster, and one of the things I had to accept here was that It wasn’t my job, because it wasn’t the function of the cyber insurance coverage, to prevent the disaster from recurring. As a born fixer, that was hard for me, but I’m full of KoolAid by this point. Honestly the main benefit is protection if you happen to leak sensitive data, or worse, happen to fall prey to financial fraud.
If you don’t have any of this on your enterprise, you’re fine without it-
-
Authentication Verifier (password, shared secret for VPN, crypto keys) that protect the following
-
Financial data including Federal Tax
-
Protected Health Care data/records
-
Payment card information
-
Personally Identifiable Education Records
-
Personally Identifiable Information (SS #, License, State ID, Financial, health)
As always, the cost of insurance should be less than the damage or it doesn’t make sense.
2 Spice ups
bsvec
(Brandon Svec)
15
So, question for you- Even excluding all your other bullet points, I think all businesses are required to keep records of some Personally Identifiable Information (SS #, License, State ID, Financial, health) of their employees. It makes me wonder how that factors in. Say someone hacks my accounting or payroll package or an employee maliciously or accidentally shares the data. Would professional liability be the only type of insurance to cover potential legal fees from lawsuit, etc.?
It depends on how the exfiltration occurred, the controls you have in place, and the terms of your policy, but no, it’s not the only type . . .and it’s possible it’s not covered by a professional liability policy. Keep in mind, policies differ widely from underwriter to underwriter, state to state, and even among accounts within underwriters.
Professional Liability/E&O is for companies that provide services or advice to others and could be accused of negligence. Commonly referred to as ‘Malpractice Insurance’ for Doctors and Lawyers, but there are products for all sorts of obscure industries out there. It’s something I would need if I were an independent consultant and told clients that hashing with SHA1 was a good idea.
It is definitely fair to press your agent or underwriter to understand the limits/terms of your coverage, and I think it’s something all businesses should do to best understand their risk profile.
Cybersecurity coverage is for any type of business that has valuable assets that could potentially fall prey to cyber threats. It is generally more focused on the scenario you propose.
My recommendation to most companies is to use a cloud based offering for HR/payroll after doing their due diligence to ensure that provider is contractually bound (and this is almost always the case with reputable providers) to meet or exceed regulatory, legal, and company needs. You are still ultimately liable, but you have effectively transferred that risk to the provider, who will be carrying E&O for the service that they provide to you.
2 Spice ups
stevealde
(stevealde)
17
You may not store sensitive client/patient/consumer information, but that doesn’t mean that you would not suffer losses in the event of a malware/ransomware attack for example. That has potential to cause considerable downtime and remediation costs.
Then there is employee data that could potentially be stolen or disclosed by employees - There have been many W-2 Form phishing attacks this year. As Brandon Svec says, “Could we ever be sued/found liable for making a mistake of any kind?” - its a good point.
You should perform a risk assessment to determine where your weaknesses are, try to determine the likelihood of a cyberattack/data breach. Assess the cost of mitigating each scenario and the cover the policy provides, taking the deductible into consideration. You also need to check that the policy provides cover for the types of incidents you are most likely to experience, in particular for phishing attacks etc when employees may cause a breach/install malware. As we have seen already this year insurance policies do not always pay out. ( Moses Afonso Ryan Ltd ransomware attack).
