6 min read

The Role of Cyber Insurance in Risk Mitigation and Disaster Recovery Planning

Featured Image

The rise in remote work environments has opened a Pandora’s box over the past few years, heavily contributing to the increase of cyberattacks and subsequent financial damages faced by organizations around the globe. In many cases, employees working from home simply don’t have the same network security and protection on their personal devices as they do in the workplace.

In addition to the financial loss that can accompany a cyberattack, there are many factors at play, including reputational risk, potential loss of market share or a dip in stock price, impact to brand trust and potential regulatory fines. The total business impact, including liabilities and threats that could jeopardize a business must be considered when developing a disaster recovery plan, not just the immediate impact to the physical infrastructure or network.

FNTS and its sister company FNIC, a trusted insurance advisor, are committed to helping organizations implement disaster recovery and risk management solutions. Cyber insurance is becoming a crucial part of disaster preparedness as it’s becoming more important for businesses to prevent hefty damages from large-scale attacks and protect customer data and personally identifiable information.

The Changing Landscape of Cyber Insurance

Cyber insurance, also referred to as cyber liability insurance, data breach insurance or simply hacker insurance, is an insurance product that covers the costs associated with hack attacks and data breaches. Cyber insurance covers the costs faced by a business after experiencing a hacker-prompted cyberattack.

While we recommend every organization have some form of cyber insurance, we realize it is becoming more strict, selective and expensive. Since 2019, premiums have increased 20-25%. Today, some premiums have increased in the range of 50-200%. Factors taken into consideration when determining premiums include the type of industry served, previous history of damages and the security controls the organization already has in place.

Some carriers may not even offer terms if the following security measures and controls are not in place:

  • Multi-factor authentication (MFA) for all business email accounts.
  • MFA for all remote access to the network.
  • MFA for all privileged user accounts (e.g. IT admin accounts).
  • Offline back-ups that are fully disconnected and inaccessible from the organization’s live environment or cloud backups secured by MFA.
  • An endpoint detection response (EDR) solution deployed across all endpoints.
  • A network monitoring solution to alert the organization of any suspicious activity or malicious behavior on the network.
  • Phishing training and simulated attacks for all employees.
  • Email filtering software to scan and filter all inbound and outbound messages for spam and malicious content.
  • Regularly updating computer systems and carrying out critical patches relating to zero-day vulnerabilities as soon as they are released by the vendor.

At FNTS and FNIC, we recommend organizations implement the above measures to help ensure qualification for coverage. Additional measures organizations can enact to protect data and prevent incidents include:

  • Keeping software up to date and implementing robust security monitoring programs.
  • Training employees on cybersecurity best practices, such as not opening links from unknown senders.
  • Encrypting sensitive financial data and personal information.
  • Performing ongoing security audits.

Commonly Covered Incidents

Cyber insurance policies can provide organizations peace of mind that they’re covered and have guidance from cybersecurity and IT legal professionals should a covered loss occur. Incidents covered by cyber insurance can vary by carrier and policy. Below are commonly covered in a first-party coverage plan:

  • Covers incidents that impact the business
    • Forensic experts
    • Data breach attorney
    • Notification
    • PR expenses
    • System damage and restoration
    • Business interruption
    • Reputational harm
    • Cyber-crime fraudulent transfers, also known as social engineering or wire fraud
    • Ransomware extortion
    • Crypto-jacking
    • Hardware replacement
    • Third-party coverages
  • Covers incidents that impact others
    • Loss of sensitive information
    • Personally Identifiable Information (PII)
    • Protected Health Information (PHI)
    • Payment Card Information (PCI)
    • Third-party lawsuits
    • Regulatory fine/penalty
    • Passing a virus onto others

A few common misconceptions about cyber insurance is that everything is insurable and there will not be an out-of-pocket expense. Policies include premiums, deductibles and a potential waiting period before coverage kicks in.

Key Steps for Determining Coverage

When determining coverage, there are key steps organizations need to take when working with an insurance provider. These steps include measuring risk. The insured organization knows what their own risk is based on the measures and controls they have in place. In addition, they should have an understanding of what their potential loss could be. For example, when a ransomware attack occurs, hackers usually get into a company’s system and stay latent for 90-180 days, monitoring activity, financial transactions, etc. Attackers gain an understanding of the annual gross revenue for that business. Then, they take the system down and ask for a ransom payment that is usually 4-6% of the business total gross revenue.

Getting Started

Cyber insurance coverage may be purchased separately or as a rider to your current business insurance policy. Comparing insurance providers can give an organization a better understanding of coverages and costs. The underwriting process is fairly straightforward and begins with an application. The organization would also need to provide proof that has proper security measures and controls in place. That is then taken to the marketplace by their agent to obtain terms for review. Costs are calculated by factoring the organization’s industry type, total revenue and existing security measures and controls.

What the Future Holds

It’s uncertain if cyber insurance will be mandated for organizations. It is more likely to be mandated in industries that hold a lot of sensitive personal information such as dates of birth, social security numbers, driver’s license information, medical history, credit card information, etc. Consumer-based services that society relies on such as utility providers and manufacturers also could be impacted in the future.

To learn more about cyber insurance and protecting your organizational assets, contact FNTS (800-820-6924) or FNIC (402-861-7000).

This blog was written by Don Pecha, Senior Director of Information Security at FNTS and Trevor Fiala, Sales Executive, Commercial Insurance with FNIC.

email-portrait-Don-PechaDon Pecha executes highly successful information security programs and leads information security strategies and maturity for FNTS, encompassing risk management; strategy; architecture and engineering; cloud; regulatory compliance; IT governance and privacy. Don’s extensive knowledge in technological security keeps FNTS’ security operations performing at a high level. He enables and ensures compliance is met for clients through customized and strategic solutions that align with organizational needs. In his more than 25-year career in the Higher Education, Finance and Healthcare enterprises, Don has built knowledge of the complexities to each field through his previous technical, marketing and business roles. He holds current certifications as an Ethical Hacker and Chief Information Security Officer both from the EC-Council.

email-portrait-trevor

Trevor enjoys building relationships and helping others. He’s been in the insurance industry since 1998 when he started working at his uncle’s agency in Los Angeles, CA. Trevor likes to stay busy and working efficiently for his clients. He takes the time to understand their business because he knows the impact risk management has on a company’s business goals. 

Before joining The Koch Co. in 2019, Trevor was with PJ Ramaekers. During his time with the agency, he earned GEM Agency Distinction three times and was named one of three top insurance agents in Omaha by the readers of the Omaha World-Herald as part of their 2017 Omaha’s Choice Awards.

Outside of the office, Trevor serves as the President of VILA, a nonprofit landowners association in Sarpy County, NE. Its mission is devoted to preserving, protecting, and improving the property’s natural beauty, diverse natural habitats and the many recreational opportunities in the area. He also spends time with family and friends preferably by the river.