Dan Smith, Zeguro co-founder and Forbes Technology Council member, helps first-time buyers get familiar with cyber insurance. (Reprinted as it originally ran on Forbes.com last month.)
[This article was originally published on Forbes.com, courtesy of its author, Dan Smith, co-founder of Zeguro and member of the Forbes Technology Council.]
With data breaches increasing in number and severity, organizations are realizing the need to protect their financial security with cyber insurance. Not only are businesses buying insurance for themselves, but they are also requiring the third parties they work with to have coverage.
For many organizations, especially SMBs, this is the first time they're purchasing cyber insurance. These first-time buyers often have many questions about what cyber insurance is and how it benefits them. Here are answers to some common questions we've seen from our experience selling cyber insurance.
Cyber insurance protects against cyber risks and helps organizations recover from security incidents. When evaluating policies, organizations should purchase based on which coverages they need most. In order to do this, there are eight areas of coverage businesses should know about:
• Public relations expense.
• Replacement/restoration of electronic data.
• Website publishing liability/media liability.
• Security breach expense.
• Business income and extra expense.
• Programming E&O liability.
• Extortion threats.
• Data breach or security breach liability.
Besides these main coverage areas, some providers offer optional coverages that you should review in case they're relevant to your business.
A key driver for businesses seeking cyber insurance is to meet contractual obligations imposed by potential enterprise clients. In fact, 55% of SMB prospects that utilize our online quote form say they are buying insurance due to contractual requirements. This is because enterprises do not want to take on the risks inherent in sharing sensitive or private customer data with SMB vendors that do not have cyber insurance.
Most people think that all insurance works like car accident claims, which often rely on negligence (someone was speeding, someone ran a red light, etc.). In more complex car accidents, such as a pileup, multiple drivers are negligent. The first car stopped short, but the ones behind it might have been speeding. Insurance companies split up the costs based on the different levels of negligence.
Data breaches aren't like car accidents. Even though a data breach at one vendor leads to a domino effect that appears similar, laws treat them differently.
Cybersecurity regulations increasingly apply "strict liability." Most regulations require vendor risk monitoring and make companies liable for data breaches arising from their third-party business partners. These requirements mean that organizations can be sued for their third party's inability to maintain security control effectiveness.
Such requirements mean cyber insurance is no longer optional for enterprise vendors — like most B2B SaaS companies that want to grow their business. Failing to carry a cyber insurance policy means failing to close critical deals and grow their business.
If you have homeowner's or rental insurance, you're already aware that most policies exclude coverage for "preventable" losses. For example, you know that frayed wires are a fire hazard. If your house or apartment catches on fire because of a frayed wire, your homeowner's insurance won't cover it.
In the same way, your cyber insurance policy likely precludes coverage if you fail to maintain reasonable security practices, which may sound ambiguous, but coverage litigation increasingly defines them as protections, such as encryption, firewalls and other basic controls.
To ensure coverage for data breaches and leakages, make sure that you continuously monitor your controls. Just like you'd check your home for frayed wires and have an electrician fix them, you need to monitor for new risks and update all software, networks and systems with security patches.
Homeowner's and rental insurance policies also exclude coverage when you don't take reasonable care to protect people you invite into your home. If your friend falls in your house because you haven't fixed your stairs, then your insurance probably won't cover it. You didn't take care of your home, so you're responsible for the harm.
In the same way, you need to make sure that you're protecting access to and within your digital home. For example, contractors often have more access to data than they need to do their jobs. If they take or share sensitive information outside of your organization, that data breach is your fault.
When you're giving users access to your systems, software and networks, you need to protect access with the principle of least privilege. Users should only have the minimum amount of access to data necessary to do their jobs; otherwise, you might be placing your organization at risk. When seeking out cyber insurance, organizations need to ensure that they continuously monitor their cyber health to prevent coverage litigation.
As more data flows across complex, interconnected IT ecosystems, security professionals believe that data breaches are no longer a matter of "if" but a matter of "when." With that in mind, most organizations need to think of cyber insurance as a larger part of their holistic cyber risk management strategy.
Although cyber insurance becomes effective after a breach occurs, purchasing it acts as a proactive risk mitigation strategy. As part of your cyber risk assessment, you need to incorporate the potential impact a data breach might have. Traditionally, organizations calculate impact using the potential financial loss and continued financial stability. Cyber insurance acts as preemptive financial risk mitigation for continued business viability.