Well before the Covid-19 pandemic, cyber insurance was already growing at an astonishing rate. Multiple reports and analysts estimated the growth of the cyber insurance market from approximately £ 5.8 billion in 2020 to £ 15.2 billion by 2025.
This explosive growth was then further amplified by the sudden changes in work/life driven by the pandemic. organizations saw new investments across technologies to support remote working and digital transformation and deeper investments into automation and supply chain solutions to help manage deficits. And with those widespread investments, we also saw an unprecedented rise in volume, severity and sophistication of attacks. Deep Instinct 1 published a research report showing that malware increased by 358 percent overall and ransomware increased by 435 percent as compared with 2019. And by all reports, 2021 is poised to break even more cyber-attack records.
The perfect storm of rapid technology adoption and rapid-fire attacks has left organizations eager to hedge the cost of cyber risk with cyber insurance. In fact, Marsh reports the number of UK organizations purchasing cyber insurance has doubled in 20202. And companies are willing to, and most certainly do, pay a premium for that coverage with cyber insurance policy pricing increasing by more than 25 percent by Q2 2021 according to a recent survey3 from the Council of Insurance Agents & Brokers (CIAB).
With incredible investments made by both organizations and Cyber insurers, the alignment of policy and incident response is a critical component. Unfortunately, this alignment is neglected until after-the-fact as most cyber insurance policies are purchased in conjunction with Workers Comp, E&O, D&O, etc., and without the express input and direct interaction needed by the cyber security group.
Cyber insurance is generally designed to protect organizations from risk through distinct insuring agreements. The areas most applicable to IT and IT review include those around network security, privacy liability, operational and third-party risk and errors and omissions.
- Network security agreements cover businesses in the case of a network security failure resulting in data breach, malware infection, business email compromise, cyber extortion demand, and ransomware.
- Privacy liability coverage protects organizations from the legal and regulatory liabilities arising out of a cyber incident or privacy law violation.
- Operational risk and the associated revenue loss can be mitigated with network business interruption coverage. When your network or a critical partner provider’s network goes down due to an incident, organizations can recover lost revenue, expenses and extra costs incurred during the time of business interruption.
- Errors and omissions - A cyber event could keep you from fulfilling your contractual obligations and delivering services to your customers. E&O covers claims arising from errors in the performance of or failure to perform your services
The greatest problem with securing a policy without the cyber team’s input is that cyber insurance policies are contracts that establish expectations and commitments between the insurer(s) and the insured. If these expectations are not satisfied, the insurance policy may not deliver on its promise. Even if IT management is aware of the cyber insurance policy, they lack the legal and insurance expertise to sufficiently interpret and satisfy the various stipulations of the policy.
Another issue with entering into an agreement without IT and Security team input is that incident process needs to be driven by the organization. Without complete understanding, agreement and adoption of policy directives, other demands will most likely take precedence and/or overwhelm IT and IR management during an actual incident.
Here are a few considerations when making sure your policy and incident response practices align:
- Provide visibility and involve IT and IT Management so they can proactively integrate cyber insurance into their IR plans.
- Update CIRP and review the organization's cyber insurance policy prior to a crisis.
- Establish vendor relationships before you get hit. Cyber insurance policies typically provide a range of services. Their preferred vendors and partners may not be the same as those of your organization and you may also require additional resources.
Visibility and Involvement from IT and IR Management
IT and IR management need to be engaged before a cyber insurance policy is purchased to provide input and feedback to the expectations and commitments. Once a policy is chosen, IT and IR management must proactively integrate cyber insurance into their IR plans and ensure that knowledge is communicated throughout the incident response teams. At the bare minimum, they must ensure the person responsible for the cyber insurance policy is part of the Incident Response Team.
Update your Cyber Incident Response Plan (CIRP)
As they say, “planning and preparation prevent poor performance”. As such, there are several other concerns that should be reviewed prior to a cyber-attack or breach crisis with respect to your cyber insurance policy. Ensure you are aware and have a process for: notification requirements of the insurance carrier, initiation of IR support (i.e., Breach Coach), responsibility regarding initiation of any Ransomware bitcoin payment, and any “Gotchas” in the contract (e.g., 72-hour ransomware notification requirement). All of these, and more, should be part of your updated CIRP.
Establish a Relationship with Preferred Vendors
Cyber insurers typically provide a list, or panel, of experienced service providers to provide legal, computer forensic, notification, call center, public relations, crisis communications, fraud consultation, credit monitoring and identity restoration advice and services for their policyholders in the event of a breach crisis. These panels are suggested vendors and may provide a deeper discount on their services through the insurer relationship. However, most insurers do not require you to use their vendors and you may have flexibility in using long-standing partners. Whatever route you choose, it’s important to know who to call when the time comes.
Extend your Backup Resources
You may require additional resources depending on the type of incident. For example, in extreme circumstances, a specialized vendor for external network and server rebuild support may be required. Or if you outsource your usual day-to-day legal counsel, they will likely also be needed during a crisis. Any additional resources will charge you for their support. If you want these costs to be covered, you will need to either adjust your plans or your policy to meet your needs - and before an incident. You won’t be able to adequately source and hire in the middle of a crisis.
Cyber insurance is an effective way for organizations to offset the risk and cost of a breach as long as their incident response teams work smartly and within the policy. Involvement and communication are key to avoid being that IT/IR manager who realizes 6 weeks and 6 figures into a crisis that you missed one (or more) crucial conditions of your cyber insurance requirements for payment coverage.
- Keep your organization safe with the best business antivirus solutions right now
Ritesh Singhai, Senior Director, EMEA Solutions, Secureworks