By Edward Maule, CIO and CISO, Advocare
Bad things happen. While we can work hard to minimize the chances of bad things happening, we cannot completely eliminate them. The best option is to transfer some of that risk, which we do by purchasing insurance. Cyber insurance is becoming an increasingly necessary, but increasingly challenging proposition.
In the past, virtually any company could buy cyber insurance, regardless of the state of their cyber defenses. The only variable would be the cost. This is no longer the case. Due to losses across nearly the entire insurance industry, insurance companies are no longer willing to sell insurance to organizations that don’t have a healthy cybersecurity program.
At our organization’s last renewal, our insurance broker presented us with a long list of tools that needed to be in place, or they would be unable to obtain bids for us. These included a SIEM, Immutable Backups, Privileged Access Control, Network Segmentation, and an EDR, among other things. Interestingly, our broker made it clear that due to the spectrum of capabilities with EDR products, we should be conservative and choose a product in the Gartner magic quadrant.
If you haven’t invested enough in cybersecurity, you had better invest more heavily in cyber insurance.
This was particularly challenging, as the news came after the latest budget cycle had begun. We had no choice but to commit unbudgeted funds to meet these requirements. Not having cyber insurance was not an option. In the end, we were able to keep the costs under control by lucky timing with expiring contracts, and vendors willing to get creative with the timing of invoices. The lesson here is that when it comes to cyber security budgeting, assume that surprises may come; when they do, they will be big ones.
The story does have a happy ending, however. Due to the hard work of our Infrastructure and Cybersecurity teams, we could get everything in place within the limited time we had. When we moved on to renew our insurance, we were surveyed to determine if we had met all the requirements. We did so well that not only did we have no trouble obtaining new cyber insurance, but our rates stayed flat, with our deductibles actually going down.
Obtaining cyber insurance was a challenge in and of itself, but not the last challenge related to cyber insurance. As with any insurance, you need to make sure that your coverage matches your specific needs. A cybersecurity incident can cost wildly different amounts, making it difficult to estimate. And generally speaking, you have probably underestimated them. There are people costs, hardware costs, lost revenue, and possible regulatory penalties. These costs are likely inversely proportional to the investment you’ve made and the maturity of your cybersecurity program. If you haven’t invested enough in cybersecurity, you had better invest more heavily in cyber insurance. The real challenge is in being honest with the sophistication of your cybersecurity posture and reasonable, if not flat-out pessimistic about the costs of a cybersecurity incident.
One area often overlooked is how your cyber insurance provider and/or your broker can help with your cybersecurity program. They often provide free tools and surveys to measure your cybersecurity program’s maturity and compare and contrast it to other, similar organizations. You answer a series of questions and are given a rating. While this is no replacement for a 3rd party assessment, it does provide a free view into your status any time you need it with much less effort.
Another useful service they often provide is downtime tools. One area that cybersecurity sometimes struggles with is business continuity, particularly inside their own department. We all depend on our computers and phones and the data on them. I’m betting that of the hundreds of phone numbers in your phone, you only actually know three of them: yours, your significant other’s, and the one from the house you grew up in. However, in a cybersecurity incident, you might not have access to your contacts. The insurance company and brokers often provide tools to store key data such as contact information, standard forms, and policies. Though I would advise having hard copies of all of this, as in a geographic cyber security event, even that might not be available.
The final, and possibly most important tool they provide is cybersecurity tabletop incident exercises. Cybersecurity programs can rarely be better than they are funded. Tools and people cost money. For this reason, it is critical that executive leadership and the board understand the risks and possible negative eventualities. As we all say in cybersecurity, “It is not if, but when.” To this end, running tabletop exercises can help the people that run and govern your organization to accurately understand just how impactful and challenging a cybersecurity incident will be for your specific organization. It makes the general specific and very personal (from a professional perspective).
I know that at the beginning of my career in cybersecurity, I focused more on the technical aspects of the job. But as time has passed (and I do less and less actual technical work), I have learned to focus on the things that don’t come naturally to IT people, and cyber insurance is surely one of these things. We are all well served by taking a pause and evaluating our own cyber insurance situation.
