An outbreak of phishing, business email compromise and other social engineering attacks started soon after news of the COVID-19 outbreak. And remote work raised new risks, especially for companies that have had to build their infrastructures quickly to keep the business running. CISOs and CIOs confirmed a surge in attacks in the March-through-May period and expect elevated threat activity in the coming months, according to PwC’s Digital Trust Insights Pulse Survey.
The wrong kind or amount of coverage could be worse than having none at all. A false sense of confidence could end up costing your business more — or cause you to lose it altogether.
All cyber insurance policies are not created equal. Some will pay your ransomware; some won’t. Not all will pay your regulatory fines. Many won’t cover the costs of improvements, after a hack, that could protect you from getting hit again. And if the culprit is spyware installed by a foreign nation? You could wind up in court trying to recoup your costs — and even then, you might lose.
Your enterprise’s resilience — the ability to recover from a disruption within established limits for time and costs — may depend on having adequate, reliable cyber insurance to decrease your costs and time-to-recovery after a cyber attack.
If you’re a C-suite executive, you know that if your enterprise gets breached, the buck stops with you — or goes all the way up to the CEO. And the board also has responsibility with its oversight role of management. But how can you and your teams know if the coverage you have is right for your business?
Knowing which questions to ask about cyber insurance can be its own kind of insurance — one that can help prevent you from making the wrong choices, while protecting your business and bottom line.
This question may seem elementary, but it’s critical to ask.
So often in business, the left hand literally doesn’t know what the right hand is doing: often the people working in cybersecurity and IT, as well as the executives managing and overseeing them, may have no idea whether such a policy exists — even as they file a claim.
Frequently, the assumption is that an existing property damage or business continuity policy will cover an incident even if the policy is “silent” on cybersecurity issues. If this is your situation, you could end up footing the entire bill for a breach or attack, or engaging in a costly court battle for payment.
In the US, the average total cost of a data breach was $8.2 million in 2019, more than twice the global average, according to the 2019 Cost of a Data Breach Report. For the 25 largest incidents involving theft of at least 100 million records, the total cost exceeded $50 million and sometimes reached hundreds of millions of dollars.
To date in 2020, victims of the 11 biggest ransomware attacks have incurred at least $144 million in costs to investigate the attack, rebuild networks and restore backups, pay the ransom and put preventative measures in place to avoid future incidents.
Who’s in charge of selecting and buying cybersecurity liability insurance for your firm — the CIO? CISO? Your risk manager? General counsel?
And in the event of a cyber attack, whose job is it to file the claim and see it through the processing?
Establishing accountability helps confirm that the tasks of managing and mitigating cyber risk get done properly and in a timely manner. Before you can formulate a cybersecurity risk management strategy — critical to operational and digital resilience — you should establish robust procedures and playbooks for incident readiness.
Critical infrastructure organizations — including banks, utility companies, healthcare providers, technology firms, manufacturers and state and local governments — are today’s major cyber attack targets, and may need more coverage than businesses such as retailers. Thus far in 2020, eight of the 10 largest data breaches affected medical or healthcare organizations. Often, these industry targets have discrete industry and regulatory requirements that must be met, which ups the ante even further.
But how much insurance is enough? To help get the right answer, you need to quantify your cybersecurity risk. More mature organizations, such as financial institutions, will have already done this. But those that need it the most often have analyzed their risks the least. And companies in other less-regulated industries, including education and manufacturing, tend to be under-insured for cybersecurity liability.
Sometimes an incident becomes a wake-up call for an industry. After the debilitating NotPetya attack, the maritime industry began to improve its cyber security. Threat information sharing has improved, and as a result, cyber insurance products emerged.
Quantifying risk now can prevent headaches — and potentially catastrophic losses for small and midsize companies — later on. Admittedly, placing a dollar sign on your cyber risk isn’t easy: It’s a young field with few specialists today.
What are the exclusions on your policy? Find that out now! When your systems are being held hostage is not the time to find out that your cyber insurance policy excludes ransomware payments, for instance.
Most policies will reimburse you for network security, hiring legal counsel and paying a forensics vendor. Often, they will pay the costs of restoring data and bringing your operations back online.
What about the cost of a root cause investigation? That may not be covered.
And what about the cost of breach notifications? If you’ve had 100,000 credit card numbers stolen, the cost of notifying the cardholders could be prohibitive.
Does your policy cover public relations and communications? The right messaging can be critical for preventing and restoring reputational loss.
Will your insurance pay the cost of providing credit monitoring and ID restoration to customers whose personally identifiable information (PII) was stolen?
If you’re hit by ransomware, will your policy pay the costs of negotiating with the attacker and paying the ransom?
If an advanced persistent threat (APT) infiltrates your system in a nation-state attack, will your insurance fund your recovery, or will it write off the incident as an “act of war”? (This was tested in the wake of the NotPetya attack.) This question should no longer be hypothetical, with the predicted increase in sophistication of APTs.
And what if your organization incurs fines for violating the European Union’s General Data Protection Regulation (GDPR), the NYDFS Cybersecurity Regulation, the California Consumer Privacy Act (CCPA) or some other cybersecurity or privacy regulation? How much, if anything, will your insurance company pay?
A caveat: If your enterprise gets hit by malicious actors because your security wasn’t strong enough, your insurance policy probably won’t pay for you to strengthen your systems to avoid another attack. But that doesn’t mean you shouldn’t take this precaution.
Insurance companies are used to dealing with risks and threats, such as natural disasters, overseas riots and loan defaults. However, they may not understand how phishing, social engineering and malware work — and the dangers they pose to your enterprise.
Do insurance providers grasp the privacy and security requirements that HIPAA imposes on the healthcare industry, as well as the privacy and security concerns caused by a regulatory push for sharing patient data? Do they understand the importance of the FFIEC’s (Federal Financial Institutions Examination Council) or Bank of England’s guidance on operational and digital resilience in financial services?
Your cybersecurity liability policy should be flexible enough to adapt to malicious actors’ tactics. It should also allow your organization to adapt and change as your business and technology needs grow without having to augment your policy.
At the same time, your team should actively review your cyber policy at each renewal time. If you don’t feel equipped to determine whether your policy is sufficient, get help — either from an in-house team, outside legal counsel, or an experienced and qualified consultant.
The responsibility for protecting the organization’s systems, network and assets sits at the very top: The CEO owns the risk. The role of the CISO, CIO and CRO is to make the CEO understand how much risk he or she would carry by not having adequate cyber insurance. The board should also discuss and be comfortable with the cyber risk appetite as part of its oversight role of management’s activities.
Cyber & Privacy Innovation Institute Leader, PwC US
Director, Cybersecurity, Privacy & Forensics, PwC US
Principal, Cybersecurity and Privacy, PwC US