Blog & Tools

Cyber insurance is a business option that requires homework

Early in 2019, the National Association of Insurance Commissioners, or NAIC, identified cybersecurity as “perhaps one of the most important topics for the insurance sector today.”

To some business people outside the insurance industry, the significance of the product still might be crystalizing. But with cyberattacks are on the rise and more companies suffering business losses or risking regulatory fines or lawsuits, the need for good cyber insurance is becoming more widespread.

Data breaches are forcing, or at least encouraging, companies and organizations of all sizes to do more to protect their networking systems and electronic records. Devising, implementing and maintaining a good, overall cybersecurity strategy has become a fundamental responsibility of any business that strives for ongoing success.

For additional protection, some companies are turning to cyber insurance, which has been around for more than a decade but continues to emerge.

Dozens of companies offer cybersecurity insurance. Potential buyers face many challenges, one being that cyber insurance is not as standardized as, for example, automobile coverage. Details such as what’s covered, insurance limits and costs can vary from one provider to the next.

Jared Ducommun, a risk management consultant in Sioux Falls, talked in general terms about coverage offered by various companies at a cybersecurity program in Sioux Falls in late 2018 that the Better Business Bureau hosted.

Businesses acquiring cyber insurance need to closely assess their needs and compare them with the product they are considering, advised Ducommun, who is with Howalt+McDowell Insurance, a Marsh & McLennan Agency LLC Company. If a policy is cheap, it probably doesn’t cover much, he said.

The potential for business losses in a cyberattack can be substantial. There are several areas in which a company might seek protection. They might want to protect themselves from an interrupted service, for example, or from the loss of sensitive information. They also might want protection from damage to networking equipment or to a company’s reputation.

Like with any other type of insurance, businesses cannot wait until after they’ve suffered a loss to buy coverage. After acquiring coverage, policy provisions might regulate how a company responds after an attack. Even a small company might have to pay several thousand dollars a year for coverage.

Prices vary widely depending on several variables, according to Founder Shield, a digital insurance brokerage for high-growth companies. The factors that are considered include:

  • Vulnerabilities in a company’s system
  • Security training protocols for employees
  • A buyer’s loss history
  • The types of data the organization stores.

NAIC advises companies that cybersecurity policies tend to be highly customized and, therefore, costly. The organization offers businesses the following advice on cybersecurity insurance coverage:

  • Start by conducting a security and self-risk assessment. Determine what to protect, what protection exists and where gaps exist. This also means developing a plan to protect your property and data, operational information and client data. Finally, identify the tools you need to protect this information.
  • Implement sound cybersecurity procedures and training for employees. Educate employees on the smart use of social media, how to spot suspicious emails and not connecting to public Wi-Fi on a company device.
  • If your small business has a disaster recovery plan, consider cybersecurity insurance as part of it. If you don't have such a plan, consider creating one. Developing procedures and identifying threats is important but you also must understand your vulnerabilities. You might consider testing through means such as an internal phishing campaign against employees to check your company's vulnerability.
  • Always back up important business systems and data. Implement settings encouraging regular password changes, restrictions on the websites employees can access as well as strong security software.

The bottom line is that insurance is not a substitute for good cybersecurity practices and that getting coverage requires homework. However, experts also seem to agree that good coverage can increase the chances that the company will be able to withstand a successful attack.

SDN Communications is a regional leader in providing broadband connectivity and cybersecurity services to businesses in communities such as Sioux Falls, Rapid City, Worthington, and the surrounding areas.

Continue reading other blogs that include more information about cyber insurance:

Cyber insurance: An emerging product that’s finding its place

DSU expert urges business victims to report cybercrime

Recurring advice from experts: Back up data, train employees