In an era where businesses rely heavily on technology and digital operations, the threat of cyber attacks is something that businesses can no longer ignore. Protecting your business from potential losses resulting from a cyber event is not just a matter of caution—it's a necessity.
Today, we'll delve into crucial aspects of cyber insurance, covering topics such as cyber security, ransomware attacks, and the various coverages provided by cyber insurance policies. This blog was written as a summary of a webinar we recently held outlining cyber insurance coverage with guest speakers, Cohen Barnes, President of SundogIT, Alexandra Bertschneider CCIC, VP of Johnson Kendall & Johnson, and Spencer Pollock CIPP/US, CIPM, Member of McDonald Hopkins.
If you like to skip around, here are links to the major sections discussed in this blog:
As technology advances, so do the methods employed by cybercriminals. Threat actors target personal information, ranging from financial data to social security numbers, exploiting vulnerabilities in computer systems. Cybersecurity is no longer a luxury but a fundamental component of safeguarding your business.
And while having the right technology in place to provide layers of protection is vital, Spencer made the point that "People often focus on the technology side, but the human element is equally important."
Cohen set the stage with this real anecdote that he and his team experienced very recently:
So imagine you've got an email account and you've got two-factor authentication on it. And this email account actually got compromised.
Now you could say, how could anyone compromise email because they don't or compromise two-factor authentication because they don't have my phone? We're not going to get into that here, but there's a thing called 2FA fatigue and man in the middle.
The threat actor got in there, looked through all the emails, all the sent items, all that. And then imagine that hacker realizes, hey, they have a big project going on right now.
So the hacker started realizing progress payments coming up. They emailed the client "Hey, for progress payments going forward, we've actually changed banks recently."
So the client's guard dropped. "Oh, it's just a status update on where I need to wire the money."
And the client paid $118,000 to the hacker...
If they can't get money out of you, they're going to look to your client base and figure out how they can actually get money out of them.
This is what we're seeing on a regular basis, which is exactly why Alex's industry is there, which is exactly why Spencer is here. The roles that they perform post incident are an absolute reality.
In the aftermath of a business email compromise, the webinar highlighted the substantial costs that aren't usually considered:
Investigation Costs: Confirmation of email compromise triggers the need for a thorough investigation, involving legal oversight from professionals like Spencer and engaging a forensics firm. Alex stressed the necessity of "stopping the bleeding" and assessing the scope of compromised accounts.
Data Analytics and Notification Obligations: Once the investigation identifies affected individuals, a data analytics firm comes into play to scrutinize the content of compromised emails. This step is crucial for determining the presence of sensitive information, such as personally identifiable information or proprietary data. Subsequently, the business must navigate the complex web of notification obligations, complying with various laws and contractual agreements. Alex highlighted the intricate details, saying, "Unfortunately, the devil's very much in the details... you might have agreed to notify somebody within 24 hours if you've had a cyber incident, and you need to comply with that."
These multifaceted repercussions underscore the importance of businesses being prepared for the intricate aftermath of email compromises.
In the ever-evolving landscape of business risks, insurance plays a crucial role in safeguarding companies from unforeseen challenges. While most businesses are familiar with general liability insurance, there's a growing need to understand the nuances of comprehensive cyber liability insurance in the face of increasing digital threats.
General Liability - The Traditional Shield
General liability insurance has long been the go-to safety net for businesses, offering protection against bodily injury, property damage, and personal injury claims. This insurance is designed to cover physical incidents that may occur on business premises or as a result of the company's operations.
However, as technology continues to intertwine with everyday business activities, the limitations of general liability insurance become apparent. Traditional policies may not adequately address the sophisticated digital risks that modern businesses face, leaving a significant gap in coverage.
Cyber Liability - Bridging the Digital Gap
The rise of cyber threats, ranging from data breaches to ransomware attacks, necessitates a more specialized form of insurance – cyber liability coverage. Unlike general liability, cyber liability insurance is tailored to address the unique challenges posed by the digital realm.
Understanding Cyber Liability Components
Bridging the Gap with Both Coverages
While general liability insurance remains a fundamental component of risk management, it's increasingly essential for businesses to complement it with comprehensive cyber liability coverage. The integration of both types of insurance ensures a more holistic approach to risk mitigation.
The cost of cyber insurance depends on multiple factors, including the size of your business, the industry, and the level of coverage needed. This is by no means an exhaustive list, just a highlight of the points mentioned in the webinar:
Understanding the nuances of cybersecurity insurance applications is crucial for organizations seeking coverage. The experts highlighted the importance of accuracy in these applications. While occasional human errors are understandable, consistently misrepresenting security measures could be deemed a material misstatement, potentially leading to claim denials.
Accuracy is Paramount: Inaccuracies in cybersecurity insurance applications, especially material misstatements, can lead to claim denials.
Over-articulation is Key: Organizations are advised to provide detailed supplementary information, and over-articulating responses to ensure clarity in applications.
Future Plans Matter: Sharing future cybersecurity plans can instill confidence in underwriters and potentially lead to more favorable terms.
These insights underscore the need for a collaborative and comprehensive approach to cybersecurity. Organizations must diligently fill out insurance applications, ensuring accuracy and transparency. Seeking legal counsel and involving cybersecurity professionals can aid in navigating the intricacies of these applications. Moreover, organizations should not solely rely on a parent company's policy for subsidiaries' coverage but consider obtaining separate policies to address potential gaps.
In the ever-evolving landscape of cybersecurity threats, staying informed and proactive is paramount. Webinars like these provide an invaluable platform for industry leaders to share expertise, helping organizations strengthen their cyber defenses and navigate the complex realm of cybersecurity insurance.
Palmetto Technology Group (PTG) is an award-winning IT support and managed service provider headquartered in Greenville, South Carolina. We believe in delivering phenomenal IT experiences by people you’ll love. As a trusted partner, our goal is to help business owners lower their risk, secure their data, and promote productive employees.