2017 Cyber Liability Insurance Considerations
The average cyber breach cost in 2016 was $665,000 (@NetDiligence). I repeat, $665,000. For most businesses, that’s game over.
Cyber liability insurance is an effective tool at insuring against a growing business threat. While not an end-all solution, it rounds out a risk management program nicely and at a relatively affordable cost. As a risk transference solution, cyber insurance is a conduit to services, bringing incident response firms, lawyers, public relations consultants, credit monitoring services, and much more to your business immediately following a breach. 2016 saw a marked uptick in purchasing by companies of nearly all sectors and sizes. All predictions are that 2017 will be no different with higher adoption rates. Here are just a few cyber liability insurance considerations as we move into the New Year.
- Know your broker: Cyber insurance is not standard in application, coverage, exclusion, or pricing. There are approximately 70 carriers in the market with different risk appetites. Exposures are complex as are the products to cover them. Your broker can be your biggest asset or your biggest liability when it comes to cyber liability insurance. To start, you should expect a broker who can explain the litany of exposures your business might face, the application process, necessary (and unnecessary) coverages, appropriate markets, and pricing. Hire wisely, hire right!
- Consider all your threats: Ransomware plagued so many businesses in 2016. Extortion has become the hot coverage item as CEOs weigh their risks. Additionally, distributed denial of service attacks (DDoS) on Krebs on Security and Internet company Dyn will continue with the Internet of Things (IoT) explosion underway. Don’t forget the protection and insurance coverage for theft of your crown jewel intellectual property or the PCI DSS assessments and fines if you have a large payment card exposure. Consider all your threats and make sure you have a well-balanced policy covering the most applicable exposures to your business.
- How much to buy? With minimal capital, technology, and people invested to fight off cyber threats, insurance adoption rates will climb in the small and medium size business (SMB) space. Remember, insurance is not an end-all solution, but an excellent risk transfer tool and a whole lot better than nothing. How much is enough? Many first time SMBs purchase $1MM-5MM in limits and medium sized businesses grow into $5MM-20MM limit policies, sometimes multi-layered across a number of carriers as businesses continue to grow.
As we evaluate risk transference solutions (insurance), we should consider the threats to businesses that will persist into 2017 and how we mitigate the risk.
- For goodness’ sake, have a plan: We consciously and subconsciously plan for nearly everything. When preparing to take a trip with family, we prepare our luggage, departing time to account for traffic, etc. The best football team in America, the Carolina Panthers (*tear*), goes into every game having watched hours of the other team’s film, knowing who will guard who, and how they plan to win. Cyber security risks are no different. Consider using a reputable firm to build an effective incident response plan. If you want to bootstrap it yourself, there are great (free!) tools available. But for goodness’ sake, have a plan. Plan to win.
- Know the game: If you plan to win, you need to know the game and specifically, the players. Hackers run the gamut, from nuisance attackers looking to enlist your network in a botnet to organized criminal enterprises to sophisticated nation state attackers. Know who you’re up against. Get with your insurance broker, your local FBI field office, or one of the many talented cyber security firms to learn more about your opponent and how that impacts your plan. Second, know the game. Hackers attack for different reasons. The Nigerian Prince you keep hearing from wants to enlist your computer into a botnet and sell control of it (and thousands of others) to other hackers. The Ransomware scare you had in Accounts Payable last year is being driven by attackers who want money, period. When the FBI paid you a visit and showed you the gigabytes of “crown jewel” intellectual property stolen from your network, it was likely perpetrated by a state sponsor, aka the Advanced Persistent Threat, who intends on building a competing firm and driving you out of business. This is a complex game with tons of players and tons of consequences. Know the game.
- Know the playbooks: If you plan to win, you need to know the opponent’s playbook and your playbook. Ransomware crippled businesses through digital extortion in 2016 and 2017 is looking no different. Average payments of $32k (@NetDiligence) left companies poorer and more insecure at year’s end. IT safeguards (your playbook) are crucial in mitigating Ransomware attacks. How often are you updating your technology (eg: operating system, firewalls, AV, etc.) and policies (e.g., mandatory employee awareness/training, risk assessments, spearphishing campaigns, mandatory password changes, social media policies, etc.). You should have an outstanding staff, aka Offensive & Defensive Coordinators, to advise you on your playbook.If you can’t afford it, outsource it and do a diligent review before you hire them.
- What else is in the opponent’s playbook? The FBI reported losses from Business Email Compromises at over $3B (yes, a “B”), and that’s just what’s been reported to them. The Internet of Things (IoT) will increase the attack surface exponentially for hackers. Cars, refrigerators, manufacturing equipment, medical devices…they will all be connected to the Internet and safeguards are unfortunately (often) last minute thoughts for device manufacturers. Know how this can bite you in your business. Doxware is expected to grow in 2017. Imagine your data spewed all over the Internet instead of just used as a private tool for extortion by attackers. Attackers’ playbooks will morph this year, as they always do. Know the playbooks and have partners who can keep you up to speed.
- Know your team: A good coach knows his players like they’re his kids. He knows what they’ll say and do before they say and do it. Know your team. Who are the quarterbacks to hammer out details before, during, or after a breach? Who are your lineman protecting your networks day in and day out? Outside of your players, who’s on your coaching staff? Who are the trusted advisors you’ve put on your team? Insurance brokers, incident response firms, attorneys, accountants, they’re all vital team players if you’re going to win. They’ll help you build your playbook, your team, and your strategy. If you don’t have a team, find the experts that know the game, get them on your team, and build your bench from there.
Written by Evan Taylor
Evan serves a Risk Consultant with NFP, a leading national insurance broker, and is based in Charlotte, NC. He is a trusted advisor for clients, delivering property and casualty insurance solutions with an expertise in cyber liability. Evan has vast experience helping companies compete in a global economy by maximizing cost effectiveness and delivering value with insurance solutions. Prior to NFP, Evan served with the Federal Bureau of Investigation and BB&T Bank. He’s passionate about educating and protecting businesses from today’s complex risks and maximizing the value of a business’ insurance program so companies can thrive.
Contact him at Evan.Taylor@NFP.com or @HackInsurance