Cyber Insurance: A Checklist for Companies of Every Size
Cyber insurance policies were first introduced in the early 1990s, but they’ve changed a lot since then due to the growing number of cyberattacks and the increasing sophistication of those attacks.
Initially, they covered businesses from financial losses that could result from a data breach, such as data restoration, legal fees, and even public relations costs. Now, cyber insurance policies can cover a broader range of risks, including:
- Data breaches
- Ransomware attacks
- Malware attacks
- Business interruption
- Regulatory fines
- Denial of service attacks
- Social engineering attacks
As the cybersecurity threat landscape evolves, we want to help you protect your company and data. But obtaining cyber insurance isn’t always simple — especially in the age of remote work, ransomware-as-a-service, and digitization. To help, we’ve put together a checklist of things to consider when planning for cyber insurance.
If you read nothing else, read this: cyber insurance is just one piece of a comprehensive cybersecurity plan. Even with a policy in place, you still need to take aggressive action to protect your company and your data.
Company size: when is cyber insurance right for you?
We strongly believe that companies of every size should carry cyber insurance. That said, small- to mid-sized companies have unique needs when it comes to cyber insurance because they often have limited resources and may need more in-house expertise to manage risks.
Cyber insurance companies will work with you to determine the correct type of coverage for your business.
Coverage types: what’s covered under different policies?
There are two types of coverage that refer to different kinds of losses a cyber insurance policy can cover:
- First-party coverage covers losses incurred by the insured business, such as the cost of data restoration, legal fees, and business interruption.
- Third-party coverage covers losses that are incurred by third parties, such as customers and vendors, because of a cyber incident at the insured business.
Ultimately, the best type of cyber insurance coverage for your business will depend on your specific needs and circumstances. We recommend carefully considering your risks and consulting with an insurance professional to determine the best coverage for your company.
Policy requirements: what do you need to qualify for cyber insurance?
Every cyber insurance company will have different requirements and qualifications, but, generally speaking, you’ll need to have some or all of the following security measures in place:
- Systems backups both on and offsite: These backups need to happen frequently, need to be encrypted, need to be offline, and need to be regularly tested to ensure they work as intended.
- Multi-factor authentication (MFA): This identity and access management tool helps prevent credential theft and adds a layer of protection for user logins.
- Endpoint detection and response (EDR): Software that monitors and responds to threats on your network (rather than standard antivirus software).
- Incident response planning and testing: Having a strong incident response plan that lays out the immediate steps you’d take in response to a cyber attack is critical for saving time, costs, and data if a worst-case scenario occurs.
- Email filtering and web security: Business email compromise attacks are on the rise and, considering that email is the main form of communication for many businesses and vendors, that element has to be protected from cyber criminals.
- Patch management: Many attacks begin with external exposure and, unfortunately, over half of all vulnerability-originating breaches could have been prevented with proper patching. Implementing a regular patch management strategy stops these threats in their tracks.
- Employee training: Users can be the first line of defense, and also a major target, when it comes to cybercrime. Building a strong culture of security awareness can prevent phishing attempts, protect credentials, and exponentially increase your organization’s overall security.
Coverage amounts: how do you determine the type or amount of cyber insurance you need?
The amount of coverage you get from cyber insurance depends on a few things, like the size and type of your business, the industry you’re in, the level of risk your business faces, and the specific coverages you want.
Typically, businesses get cyber insurance with a per-occurrence limit and an aggregate limit. The per-occurrence limit is the most the insurance company will pay for a single claim, while the aggregate limit is the most they’ll pay for all claims during the policy period.
The insurance company typically sets the per-occurrence and aggregate limits, but you can negotiate them. When setting these limits, you should consider your specific needs and risks. For example, if you were out of business for two weeks to a month, what would that cost you in terms of lost revenue?
Completing insurance applications: should you go it alone? Or work with a vendor like SUCCESS Computer Consulting?
Cyber insurance policies are complex, so we recommend working with a vendor like SUCCESS to at least get some high-level advice. This is critical because if your policy isn’t accurate, you could jeopardize your coverage in an incident – similar to any other insurance policy.
A vendor can help you complete due diligence, ensure your security measures are correct and accurate, and assist with the application questionnaires you’re required to complete. They can also ensure you’re staying relevant from a security posture and remaining up to date on security trends, which can be challenging to navigate independently.
Policy renewals: what should you consider during renewal season?
Renewing your organization’s cyber insurance policy is crucial for remaining adequately protected against cyber threats, and there are a few key factors to keep in mind when doing so:
- Proactively begin the renewal process
Don’t wait until the last minute to initiate the renewal process, which can include completing in-depth renewal documents such as policy forms or questionnaires for your broker. Starting early also allows ample time to thoroughly evaluate the existing policy, explore alternative options if necessary, and negotiate favorable terms, if possible.
- Review the limits of your current policy
Cyber risks are constantly evolving, and what may have been sufficient coverage in the past may no longer be adequate. It’s important to assess the potential financial impact of a cyber incident and adjust your coverage limits as needed.
- Be aware of new insurance requirements
Cyber insurance requirements can change from year-to-year, so staying up to date on the latest criteria is crucial for avoiding any gaps in coverage and ensuring your policy remains effective.
Need help with your cyber insurance policy?
At SUCCESS Computer Consulting, we have years of experience helping small to mid-size companies understand if they’re meeting cyber insurance requirements, and we’re available if you need help. Just remember that cyber insurance is not a substitute for good security practices. You’ll need to implement strong security measures to protect your data and systems. Our experts can help with that, too.
Contact us to learn more about our industry-leading best practices in cybersecurity.