Call now for cybersecurity help: 888-646-1616
Holly Sagstetter

What does a CISO look for in cybersecurity insurance policies?

June 2, 2022

Cybersecurity insurance policies are not all the same, and it’s important to understand the requirements and coverage details.

Let’s start with what cybersecurity insurance (sometimes referred to as cyber insurance or cyber liability insurance) actually is. 

Cybersecurity insurance policies are meant to cover all of the expenses that a firm incurs when it's the victim of a data breach. It doesn’t mean that if a hacker accesses your banking and steals $50k, that you’ll get that money back, unfortunately. 

Traditional insurance policies exclude cyber risks, which is why cybersecurity insurance is typically a separate type of coverage. 

So how do you choose the right coverage? I asked our CISO for some guidance on that, and here’s his advice:

cybersecurity insurance policies

#1 Trust your gut on the insurance salesperson

It’s important that the company and salesperson you bought coverage from (or are considering) really understand what they’re selling. If they’re telling you “this is what most companies are doing”, instead of actually discussing coverage options based on your risk, then you might want to look for a different provider who specializes in cybersecurity insurance policies.

#2 Make sure these points are clearly spelled out in the policy

Here are some commonly vague points in cybersecurity insurance policies. You want these points to be spelled out as much as possible:

  • In the event of ransomware, who would pay the ransom?  Some policies are vague on this point -- usually by saying they provide "cyber extortion and ransom services," but they aren't clear on who would actually cover a ransom payment?
  • One of the most common attacks we see against RIAs is an attacker trying to trick either you or your customer to transfer funds. Make sure you have coverage for “e-crime” or “funds transfer”.
  • Ask your insurance provider plainly if you are fined $1m (by the SEC or other regulatory body), would this policy cover you? 
  • Many policies do include coverage to help pay for system upgrades after a successful attack, but some cybersecurity insurance policies will not. Be sure you look at what expenses will actually be covered.
  • Most cybersecurity insurance policies have specific requirements that not reporting a possible incident may risk your ability to be covered for the current incident, but also your ability to get future coverage.  It’s important to realize that having a policy typically comes with the obligation to report even potential incidents to the insurance company, or risk losing coverage.

#3 Who needs cybersecurity insurance policies?

We think that any firm that has data that is attractive to criminals should seriously consider cybersecurity insurance. If your company accepts digital payments or stores personal health or financial data about your clients, you need to seriously consider adding a cybersecurity insurance policy.

Cyberattacks are not slowing down, and even small businesses are targets. Ransomware attacks alone increased 700+% year over year in 2020. 

As of a few years ago, cyberattacks were costing businesses $200,000 on average. Cybersecurity insurance policies are important, and can keep you in business even if you are dealing with a cyberattack.

Summary

Cyberattacks can seriously hurt your business, but cybersecurity insurance can help cover the expense of downtime related to cyber incidents. Make sure your policy provider understands cybersecurity insurance. They need to properly evaluate your risk – a one-size-fits-all policy is typically a horrible idea. Use the points above to identify vague or confusing language in your policy. 

Is a Virtual CISO right for your business?

We help over 100 of the best financial services, healthcare, and manufacturing companies across the U.S. with their cybersecurity. Most of our clients need to comply with major cybersecurity regulations like HIPAA, CMMC, NIST-800-171, SEC, NYDFS, IRS, FFIEC, etc. Learn more about our Virtual CISO services and contact us for more information: https://adeliarisk.com/virtual-ciso-service/

If you need help with security compliance (HIPAA, CMMC, NIST-800-171, SEC,

Leave a Reply

Your email address will not be published.

We help over 100 of the best financial services, healthcare, and manufacturing companies across the U.S. with their cybersecurity.
Copyright 2022 Adelia Associates, LLC | All Rights Reserved