Cyber insurance policies have existed since the early 2000s. Businesses going online wanted safeguards against risks associated with evolving cybersecurity threats. Having a cyber insurance policy is just a starting point, though, and your business also needs to understand the insurer’s expectations of you. Otherwise, you might find your claim gets denied.
With most professional liability policies, your cyber insurance may have exclusions, including:
- rogue employees;
- wild viruses;
- regulatory claims;
- fines and penalties;
- property damage.
Cyber insurers also may not pay out if they find “a failure to maintain.” This might also be “failure to follow” certain standards of care. It’s the online version of negligence. But what does it really mean?
Standard of care expectations
Insurance companies want proof that your business takes proper precautions to prevent cyberattacks. If you can’t show you’ve implemented strong security measures, you run the risk of a denied claim. So, they’re going to require you to put protection in place. Your security approach must be comprehensive. It’s best to map out all your technology so that you can identify every endpoint that needs protection. Relying on antivirus software, for instance, is unlikely to satisfy your insurance provider. Add active threat detection and response tools to your arsenal, too.
Insurers also want to see evidence of effective training for your employees, because humans are now becoming the weakest link. Your staff may not mean to do wrong, but they are the ones with weak passwords, or misplaced devices, and who may be inadvertently downloading malware.
Expect insurers to also want you to have:
- encryption to secure data;
- multi-factor authentication to make unauthorised access more difficult;
- virtual private networks (VPNs) to secure connections between computers and the internet;
- regular “air gapped” data backups;
- staff awareness training;
- company policies and processes to respond to cybersecurity incidents.
As the cyber environment is always evolving, insurers are regularly adapting. They may have quoted coverage for a particular risk but then changed their policies to decline that risk a year later. It’s one more thing to keep abreast of while also working to secure systems against cybercrime.
Would your cyber insurance policy pay out if your were attacked?