Is Cyber Breach Insurance part of your Cybersecurity roadmap?

Is Cyber Breach Insurance part of your Cybersecurity roadmap SecureFLO.net

Is Cyber Breach Insurance part of your Cybersecurity roadmap? Secureflo.net

Introduction

As you have probably seen in the news, cyberattacks have grown across all business sectors. Companies of all sizes are getting hit by ransomware costing not only dollars lost but also a diminished company reputation when customer data is compromised. We recommend getting cyber breach insurance as part of your cybersecurity and privacy strategy. In this article, we’ll discuss why cyber breach insurance is important, and the security controls that insurers will require that you have in place before they underwrite a policy for you.

Here at SecureFLO, we are a cybersecurity and privacy consulting firm and not insurance agents. We don’t want to sell you a cyber insurance policy. We consider recommending cyber insurance our responsibility as your security advisor. We believe that organizations of all sizes should include cyber breach insurance along with other necessary business insurance to protect the investments in your organization.

Cyberattacks Getting More Frequent and Expensive

Cybercrime was forecast to cost the global economy $6 trillion in 2021. Cybercrime Magazine reported that Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.

According to the FBI, the total cost of cybercrime in the US. was $3.5 billion in 2019. The  Ponemon Institute found that the average cost globally of a data breach was $3.86M, while in the United States in 2020 the average cost of a data breach was $8.64M. It took 280 days on average to identify and contain a data breach.

Companies Fined and Sued for Not Meeting Security Standards

When analyzing cyber security breaches, companies’ losses include the ransomware related attacks themselves as well as the fines for not informing clients or regulatory authorities in a timely manner as required. There are high dollar value fines assessed in healthcare and financial services for noncompliance with regulations.

Some examples of fines and lawsuit costs are: 

    1. Rochester, New York-based Excellus Health Plan, a member of the Blue Cross Blue Shield Association, was investigated to
identify potential HIPAA compliance issues following a report of a data breach of 9,358,891 records in 2015. As part of a settlement, Excellus was fined $ 5.1 Million dollars.

    2. The largest HIPAA violation penalty of 2020 was imposed on the health insurer Premera Blue Cross. Premera Blue Cross was
investigated over a data breach in which the protected health information of 10,466,692 individuals was obtained by hackers. Premera was fined $6.85 Million.

    3. Despite alerts in place, Target lost 40 million credit card numbers back in 2013 – still among one of the most shocking
PCI DSS compliance breaches to date. The data theft cost Target nearly $18.5 million in settlements across the U.S. as well as more than $202 million spent on legal fees.

    4. Equifax data breach – With over 143 million Americans affected, or 45 percent of the U.S. population at the time
(not to mention the Britons and Canadians whose data was also breached), this data breach left a huge impact.  The settlement totaled $425 million, and those impacted can still file claims for expenses until January 2024 for any identity theft or fraud related to the breach.

    5. Amazon’s gigantic GDPR fine, announced in the company’s July 2021 earnings report, is nearly 15 times bigger than the previous record. Amazon was fined €746 million ($782 million) for the breach.

    6. Ireland slammed WhatsApp with a €225 million GDPR penalty after claiming that the messaging service had failed to properly explain its data processing practices in its privacy notice.

Do Small and Medium Sized Businesses Really Need to Worry About Cyberattacks?

The owners and leaders of small and medium sized businesses might be tempted to brush off the need for cybersecurity insurance as something only impacting large enterprises, not them. No company is immune from a cyberattack. SMBs might not be able to pay the costs and fines assessed on the large companies described above.

If you’re still in denial about the chances of your small or midsize business becoming a victim, 61% of all SMBs have reported at least one cyber attack during the previous year. A benchmark study by CISCO found that 40% of the small businesses that faced a severe cyber attack experienced at least eight hours of downtime. Data is your most precious commodity in business today. Protect your data and business reputation by developing a cybersecurity and privacy roadmap, analyze the risks for your confidential information, and manage your risk.

Required Security Controls Before Insurers Will Cover Your Company

Insurance companies today want to know that you are taking cybersecurity and privacy of data seriously. They want to know that you have conducted an internal risk assessment of your business. An assessment would provide the insurer comfort that you do take these risks seriously and manage them by monitoring, remediating, and staying ahead of critical data security concerns.

We know there is tremendous fraud now that many companies have a larger remote work environment and data is often shared in cloud environments. Fraud can come from inside or outside your organization. As you develop the trust of your customers by assuring them that you protect critical data using industry standards and best practices, you will also need to monitor any threats to your data on an ongoing basis. We can help you build a roadmap for data security that is both thorough and flexible and can grow as your organization expands.

There are four categories of controls to consider. The controls you implement will differ based on your data flows and how your internal and external users access data. The four categories of controls are:

      1. Managerial Controls are the policies and procedures we often discuss with clients. They aren’t as “cool” as a new software control, but they exist to give structure and guidance to you and other members of your organization, ensuring nobody gets fined or causes a breach.

       2. Physical Controls limit the access to systems in a physical way; fences, CCTV, dogs, and even fire sprinklers.

     3. Technical Controls are those that limit access on a hardware or software basis. These don’t limit access to the physical systems the way physical controls do, but rather access to the data or contents.

     4. Operational Controls involve people conducting processes on a day-to-day level. Examples could include awareness training, asset classification, and reviewing log files.

Depending on the threat and your vertical, below are additional controls you can use to mitigate your data risk:

      1. Preventative Controls exist to not allow an action to happen and include firewalls, fences, and access permissions.

      2. Detective Controls are only triggered during or after an event, such as video surveillance, or intrusion detection systems.

      3. Deterrents discourage threats from attempting to exploit a vulnerability, such as a “Guard Dog” sign, or dogs.

      4. Corrective Controls are able to take an action from one state to another. This is where fail open and fail closed controls are addressed.

      5. Recovery Controls get something back from a loss, such as the recovery of a hard drive.

      6. Compensating Controls are those that attempt to make up for the shortcomings of other controls, such as reviewing access
logs regularly. This example is also a detective control, but compensating controls can be of various different types.

Minimal Requirements and Best Practice Controls

Based on our experience with Insurance companies, these are minimum requirements we often see an insurer require in order to provide you cyber breach insurance:

      1. All PCs must be equipped with antivirus software and it must be kept up to date.

     2. The company network must be protected using a firewall.

      3. Business data must be regularly backed up using external media or a secure cloud service.

      4. Two factor authentication is preferred.

      5. Regular monitoring of threats must be performed.

As you enhance your organization’s security program, there are best practices you should consider adding to your security program to help manage or reduce the opportunity for a data breach:

      1. Perform a quarterly risk assessment.

      2. Document your policies and procedures.

      3. Follow a standard like NIST, ISO, CAIQ, or COBIT.

      4. Implement strong authentication.

      5. Protect your data using encryption.

      6. Have a Business Continuity/Disaster Recovery Plan in place.

      7. Develop an Incident Response program.

      8. Perform penetration testing at least annually.

      9. Performed quarterly vulnerability scans.

      10. Scan all software code for security vulnerabilities.

      11. Provide Endpoint protection and malware protection for individual laptops/desktops.

      12. Monitor for threats and vulnerabilities continuously.

How SMBs Can Start Searching for Cyber Breach Insurance?

The FTC provides great educational resources and locations for small and medium businesses to understand and purchase insurance. You can access the FTC resources here

Additionally, the largest insurance firms like The Hartford Travelers, Chubb, Hiscox, and AIG all offer cyber breach insurance to companies. They all have great websites and resources. There are also online brokers like Embroker that allow you to shop for the right insurance based on revenue of your company and provide metrics to get estimates.

Conclusion

As we discussed above, a good cybersecurity strategy today includes cyber breach insurance as a critical part of your overall strategy. It is important to not only develop controls to protect against breaches but also processes to recover and continue business operations in the event of a breach. Business continuity and disaster recovery are as important as monitoring and encryption in your overall strategy to control and manage your sensitive data.

Request a quote today!

Request a quote today!

Request a quote today!