Should You Get A Cyber Insurance Policy For Your Business?

With data breaches and cyberattacks on the rise last year (and with no sign of stopping in 2018), many business owners are making hard decisions on how to mitigate their risks in the event of a cyber incident occurs.

(Note: most cyberattacks and data breaches are preventable if you keep to solid security practices).

The problem with dealing with a cyberattack or breach of sensitive information is that there are enormous costs that many of us don’t consider. In addition to business downtime (from ransomware or data loss), your business will need to confront mandatory steps to mitigate damages from the cyber event. These costs may include legal fees, cyber forensic investigations, press releases, fines, and worst of all, a negative reputation in the marketplace that has led many businesses to close their doors.

While cyber insurance can alleviate a lot of your business’ financial responsibility—which seems like a very nice safety blanket if you are unfortunate enough to be in a cybercriminal’s cross hairs—if you are not taking precautions to limit your chances of cyberattacks or breaches, your cyber insurance may not cover you.

And even when a cyber event is covered by your policy, you’ll probably have to shell out quite a bit of dough—normally around $50K—as a deductible to get coverage.

Since cybersecurity insurance is a relatively new type of business insurance coverage and because cyberattacks have been getting worse since the start of the year (for one example, see our recent discussion on the latest Samsam attacks crippling businesses and municipalities large and small), I thought it necessary to briefly walk you through cyber insurance and considerations you’ll need to make to decide whether it’s a good option for you.

But first, what exactly is cyber insurance?

Cyber insurance essentially is a standalone policy that can help your business recover from data loss resulting from either a cyber security breach or other event, such as a network outage or interruption to your business service.

The scope of policies vary considerably in what they cover, costs of insurance and exclusions, so you will likely need to read all of the fine print to determine whether the policy is actually going to give you sufficient coverage to survive an attack.

Why consider cyber insurance for your business?

While choosing between different cyber insurance policies may seem complicated—in that there is no one standard policy—it may be a good addition to your business strategy for security risk management and response.  As I mentioned above, there are a LOT of expenses incurred during a cyberattack. And picking the right coverage that makes sense may take reading pages of fine print.

How can you lower your cyber insurance costs or ensure you are covered in a cyber event?

Think of cyber insurance like automobile insurance.  Auto insurance does not give you a green light to drive drunk. And cyber insurance certainly doesn’t give you a green light to overlook important cyber security responsibilities. Your insurance provider will expect that you preserve a certain level of cyber security within your network to be eligible for cyber insurance benefits in the event something happens.

The more risks you take on from having poor IT Security practices, the more you’ll probably have to shell out for coverage.

How can you prevent or mitigate cyberattacks through proper IT implementation?

Patch your machines— I know you might be thinking that I’m a broken record here, but you’d be surprised how many businesses around Philadelphia forget to update their networks with security patches. The most recent ransomware viruses (such as the Samsam virus) actually move with network vulnerability scanning software. If you haven’t patches that workstation or server recently and it still has an open back door, be assured that the latest ransomware variants may find their way in your network unnoticed. Applying patches is critical to prevent disasters from occurring (and ensuring in the event of an attack, you can provide evidence to your insurance company that you followed good security hygiene).

Train your staff— while network vulnerabilities might be the latest way many hackers are breaking into business networks, phishing scams and social engineering is definitely a close second! Scammers are more sophisticated in how they are reaching out to team members.

Often posing as you—the CEO—scammers are requesting sensitive info be sent to email accounts that almost look like yours. In many instances, scammers have added a second email notifying staff that the first email was a scam, but to send information to a private (more secure) account.  Be sure your team understands how to recognize scams as they evolve and question sending out sensitive information via email. Make sure they confirm (by phone) with the person requesting money or sensitive data before giving it away. Since tax season is upon us, make sure your accounting team is especially suspicious about requests for information or funds (because scammers are targeting tax returns hoping to cash in).

Backup your network— many companies don’t realize how important backups are if they end up getting a ransomware virus. If you don’t have a working backup, you might be left with no data (paying a ransom for encrypted data is simply rolling the dice. In recent ransom attacks, even when a ransom was paid, the likelihood of data recovery was close to 70%).

And even when businesses have backups, many keep their backups on network. For most modern viruses, your entire network is vulnerable to an attack—if your backups are connected to your primary network, they most definitely will also be encrypted or (in some cases) permanently deleted. Make sure you have a recent, working offsite backup to ensure data recovery and minimize downtime to hours (opposed to weeks or months before data is recovered, if ever).

Have a recovery plan— just as you have a strategy for implementing you 2018 business goals, you need to have a strategy that meets 2018 security concerns. As viruses become more virulent or create more damage on a network, you need to be thinking about what your response will be. Having a comprehensive backup and disaster recovery plan that incorporates cyberattacks, data loss and data breaches is a crucial component to mitigating risks from an attack efficiently and quickly.

Understand your risks—the biggest problem with most business security is that their team doesn’t see security problems until it’s too late. Most of us won’t call a lawyer until they have a lawsuit or uphill legal battle. Likewise, the majority of businesses don’t think about their IT security and infrastructure until they’re faced with dire ransoms and data breaches (all of which may completely risk their business continuity).

By performing an annual security network assessment and understanding where your risks lie, you can be empowered to shore up your security and plan in advance for initiatives to keep you, your team and your clients safe from growing cyberattacks.

Take home: prevention is key to keeping your business safe. Insurance will help minimize the effects of an event, but having adequate IT Security measures in place at your office will significantly minimize your risk of ever needing to pay for a policy (and will likely reduce your insurance costs long term).

Are you considering cyber insurance but don’t have the slightest clue whether your IT Security meets your insurance policy’s standards? Are you concerned about keeping your business safe from ransomware? Contact us TODAY for a free security network assessment.