As more companies come online offering cyber insurance coverage, decision-makers across the country are faced with a tough choice.
Do we trust in our own cyber security measures, controls, and assessments to be able to accurately fulfill the requirements cyber insurance companies are asking for?
Cyber attacks are becoming more frequent and consequential, but what does that mean for your company and its cyber protections?
Working with an expert can help answer the difficult questions that accompany the cyber security space and streamline the process, especially as it pertains to insurance coverage.
Do you need cyber insurance?
Vulnerabilities can creep in from anywhere, especially as the sophistication of cyber attacks increase. In theory, an insurance policy that protects you from malicious cyber attacks is a good thing, right?
The short answer is yes, but it can often be complicated to secure (or to make claims). The cyber insurance landscape in Canada is challenging right now and as more people see the value in this kind of protection, it’s becoming more popular and more expensive.
But as these policies evolve, claims and coverage are becoming more complicated to navigate due to increased requirements and higher costs.
Ultimately, a lot of emphasis is placed on the information provided during the application process. Some insurance companies will challenge coverage after a claim because of incorrect information within the application. Having a clear understanding of cyber efforts for decision makers, and having a way to validate responses, is of the utmost importance.
If you’ve been relying on your IT department alone to make these kinds of decisions or provide this information, it’s time to collaborate.
Five things you need to know
Questions you have to have answers to about your company’s cyber security
Before committing to a cyber insurance policy, or filling out an application for coverage, there are some things to note that could impact your ability to make a proper claim that will be paid out.
There is often a gap in the application answers and what is actually going on when a company or incident is investigated following a claim.
Here are five important things you need to know the answer to ahead of applying for a cyber insurance policy:
- Vulnerability and patch management
- Asset management Does your company have an inventory of all the software and hardware it uses?
- Third-party and supply chain security Does your company regularly asses partners, contractors, and vendors for cyber security risks?
- Penetration testing Does your company conduct a penetration test on a regular basis and address the findings from those tests in a meaningful way?
- Monitoring Does your company have a continuous monitoring capability and how, if at all, does it respond to alerts in a timely manner?
Important things to note about cyber insurance before finding a policy
If you’re actively searching for cyber insurance coverage and/or are filling out applications for coverage, it’s vital to know that you must be able to actually prove the information you’ve stated in your application in the event of a claim.
Most cyber insurers in the market today will ask more than 80 questions in a coverage application and they’re written differently than typical insurance policy applications.
Take caution to ensure you have the right coverage and limits for your organization.
As insurers are asking for more proof of controls – specifically the 18 control measures set out by the Centre for Internet Security (CIS) – it’s important to know what cyber controls you need and consider a cyber security maturity assessment to help you know where to stand.
Important things to note before making a cyber insurance claim
In the event that you do need to make a claim, be sure you have all the information about the incident and your level of coverage ahead of time.
Don’t let yourself be surprised in the event your rate increases or your claim is denied or limited due to inaccurate information. By understanding what’s really going on you’ll be able to decide if your response is appropriate and if it correlates to your insurance coverage.
Take time to ensure you’ve determined the appropriate cyber limits for your organization.
Questions you’ll need to answer in the claims process
Being prepared for your claims adjuster will help the process go a lot smoother than if you go into it blind.
Here are a few questions you should be prepared to answer when you’ve experienced a cyber breach or are about to make a cyber insurance claim:
- What are the time requirements to report a cyber breach to your insurance provider? Some may require notification within hours, days, or weeks upon initial discovery of a breach.
- Are there any actions that you must involve the insurance company in when a cyber breach occurs?
- Are there limitations on who you can engage to support your company during a cyber breach or does your insurance policy require specific external providers to be used?
- Are there restrictions or guidelines on the payment of ransom to cyber attackers in the event of a ransomware attack?
- Is there a requirement for legal counsel to be involved when a cyber breach occurs in your company?
Consider your panel providers and options – which can vary between a third-party person or company, or your own IT department – but be sure you know the ins and outs of your policy first.
Make sure you have all the facts
Wherever your company is at in its cyber security and insurance journey, building a solid foundation for cyber protection will look different for each organization.
Curating a unique approach based on your needs is best done with the help of a cyber insurance consultation, external to the resources to have in your IT department.
To learn more about how you can get support throughout the cyber insurance process, contact Phil Fodchuk, Partner, Digital at [email protected] or Craig Burkart, Partner, National Leader - Insurance Advisory, at [email protected].