By Robert J. Kerwin
The 2020 global increase in malicious cyberactivity against companies has been well reported.
As of March 30, 2020, the FBI's Internet Crime Complaint Center (IC3) reported it had received and reviewed more than 1,200 complaints related to COVID-19 scams.
In a previously published report, the global cyber education company, Cybint, noted that 64% of companies experience web-based attacks. Of these companies 43% of the cyber attacks target small business. Despite those threats, only a relatively small percentage of firms have cybersecurity insurance to cover all risks.
Special-Pricing Available on Medical Displays, Patient Monitors, Recorders, Printers, Media, Ultrasound Machines, and Cameras.This includes Top Brands such as SONY, BARCO, NDS, NEC, LG, EDAN, EIZO, ELO, FSN, PANASONIC, MITSUBISHI, OLYMPUS, & WIDE.
Many companies don’t fully realize the scope and breadth of their cyberpolicies until a cyberattack occurs, which is not the time to determine how good your policies are. Companies need to review their cyberpolicies now. Moreover, a company's future business may, in part, depend upon whether they carry cyber insurance. Recognizing the perilous nature of these cyber threats, more and more hospitals and manufacturers are requiring their vendors to carry cyber insurance.
Wading into the confusing world of cyber insurance is not easy. There are complicated coverage terms including: Incident response costs, legal and regulatory costs, IT security and forensic costs, crisis communication costs, privacy breach management costs, third party breach management costs, post breach remediation costs, theft of funds in escrow, theft of personal funds, extortion, corporate identity theft, push payment fraud and unauthorized use of computer resources, system damage and rectification costs, income loss, business interruption, reputational harm, claim preparation, hardware replacement costs, fines, intellectual property infringement.
Navigating all of the above is no walk in the park — especially after completing an extensive application form which requires disclosure of all controls and policies currently in place. The questions will vary from insurer to insurer, but they will all want to know if you had an independent third party cybersecurity audit and an account of any remediation that was performed. Candor is important, especially with respect to the training being given to employees in cybersecurity and whether your policies and procedures are being followed. Will an insurer pay claims submitted if they come to learn that the application disclosed policies and procedures that were never followed?
So where do you begin?
Cyber insurance is not like any other insurance. Several acknowledged authorities encourage simplifying the coverage inquiry to: Why do you need it? Are your biggest vulnerability concerns privacy obligations (PII or PHI)? Is your concern loss of data? One must begin with data mapping: where does your data sit? If it's in the cloud with a third-party, you will want to have third-party coverage. If your company uses a social media platform, you may want to look into media liability coverage. Can you obtain coverage retroactively? You want to have a vulnerability assessment conducted, and of course undertaken remediation. That is the point you can assess: what coverages are needed? You should have a solid data governance program. What are your document retention and destruction policies? Most states have long required that you maintain a written information security plan (WISP) so when incidents occur, you can use your WISP to respond in real time to the threats. Most importantly, you need within the company an "owner".