Great Scott! What You Need to Know About Cyber Insurance (And How Compliance Can Help)

If the phrase “Great Scott!” in this blog’s title resonated with you, you might be a fan of the 1985 movie Back to the Future. It centered on Marty McFly and his pal, Doc Brown (the guy who shrieks “Great Scott” a lot, but it’s funny). Marty travels thirty years back to the past in Doc Brown’s time machine and spends the rest of the movie trying to get—yes—back to the future. See it if only for the gull-wing DeLorean, the most stylish way imaginable to travel through time.

Segue alert. Cyber insurance is a lot like a time machine. Ideally, it provides a reset, so that even if your organization suffers a breach, collecting on your cyber insurance policy gives you the chance to fix the damage and get back to business quickly. But while we avoid giving spoilers on this blog, sometimes, in the realms of time travel and cyber insurance, you don’t end up back where you started, not exactly. That’s all we’ll say about the movie. But cyber insurance: Why wouldn’t it be the perfect slate-cleaner? For one thing, getting a cyber insurance policy, and collecting on it, involves some hurdles. We’ll talk about them, and why a solid Compliance posture is essential whether or not you decide to purchase (or collect on) cyber insurance.

Risk, redux

We’ve talked about risk before, but here’s a quick refresher. There are four main ways to respond to business risk, each with their pros and cons, and businesses generally use a mix of these approaches: 

• Avoidance: Hard to pull off when your risk involves a component or process that’s essential to running your business.
• Acceptance: You might accept all risks as a small startup because you have no customers and therefore no customer data. Beyond that point, a risk that exceeds your organization’s established risk appetite needs a different approach.
• Mitigation: Mitigating risk is the core of what a Compliance team does: help build controls, test that they’re actually working, and measure the ROI of your risk-mitigation measures.
• Transfer: Why have cyber insurance in the first place? Because your risk register indicates that one or more risks are beyond your organization’s risk appetite and too big even to mitigate. Cyber insurance is the solution, in theory, to manage catastrophic risk where the costs of making your organization whole would otherwise be too great. Your organization pays premiums, and in the event of a catastrophe, it gets a payout, in theory, that covers financial losses and the costs of digital forensic investigations and lawsuits. Cyber insurance does not cover all losses (which we’ll discuss further, below). Cyber insurance can be in the form of a first-party contract or a third-party contract. First-party coverage protects your company’s data, including employee and customer information. Third-party coverage generally protects you from liability if a third party brings claims against you.

Cyber insurance—and why it’s getting harder to get the coverage you need

As cyber insurance payouts have soared, insurers have raised premiums—which increased by 53% globally in the third quarter of 2022. Insurers have also increased exclusions. In addition, insurers are imposing stricter underwriting requirements, demanding more evidence that an applicant for cyber insurance has strong security measures—and if not, an insurer may charge a higher premium, exclude ransomware and other events and items from the policy, or just turn down the applicant. And buying coverage against ransomware attacks doesn’t guarantee the insurer will pay up. The lack of proper controls can be fatal, as seen in the recent case of Travelers Property Casualty Company of America v. International Control Services, Inc. (No. 22-cv-2145). There, a policyholder’s multi-factor authentication (MFA) turned out to be incomplete, contrary to its statement on its application—thereby leaving the organization exposed to a known vulnerability which was exploited by a threat actor. The result: The policyholder could not collect. Finally, if a policyholder who suffers a ransomware attack does manage to collect, they won’t necessarily be compensated for the reputational hit.

The coverage gap is significant enough that the US Treasury Department is considering a national cyber insurance program as a backstop to cover “catastrophic” attacks that involve critical infrastructure.

But with cyberattacks becoming more frequent, severe, and expensive, cyber insurance remains an important element of loss recovery measures in case of a cyberattack.

Preparing for the process

If your organization wants to get cyber insurance, it should take certain steps to prepare for the process. Without getting mired in details, here’s an overview:

• Perform a detailed cyber risk assessment with the help of an expert, and identify relevant cyber threats.
• Shop around for reputable insurers.
• Discuss with your shortlist of potential insurers which cyber threats should be covered.
• Review the plan carefully, especially exclusions.
• Negotiate.

Your company should also consider the type and cost of the coverage it requires. Make sure your policy has enough coverage for your organization’s ever-changing needs. And at the risk of repetition, know exactly what your policy covers and excludes, including the triggers, limits, and conditions that affect coverage, to avoid unwelcome surprises later. 

Cyber insurance coverage goes hand-in-hand with Compliance

A company seeking cyber insurance can benefit from having strong Compliance. That may not seem obvious: Isn’t cyber insurance supposed to mean that you’re (mostly) covered when bad things happen? So why is Compliance still important? 

The obvious answer: Whether it has cyber insurance or not, an organization that has adopted ISO, SOC 2, etc., will still need to show that it complies with those frameworks. But for a company seeking cyber insurance, a strong Compliance posture—one that reflects the presence of effective controls—can also do the following:

1. Make it more likely that the applicant will be offered cyber insurance,
2. Reduce the applicant’s cyber insurance premiums, 
3. Reduce the likelihood that it falls victim to a cyberattack, and
4. Avoid what happened in the Travelers case, in which the policyholder’s inadequate controls allowed the insurer to rescind the policy.

In fact, insurers are more frequently asking applicants whether and how frequently they undergo third party audits, including SOC reports and HITRUST certification. 

Here are five Compliance-related recommendations that could help you get cyber insurance, as well as strengthen your defenses:

1. Business continuity planning (or, backing up data isn’t enough).* The best defense against having to pay up if ransomware hits: backing up data. But data doesn’t help if it’s unusable. So make sure the data you back up is uncorrupted. Store it wisely. And regularly test your data recovery ability. Sometimes companies learn from adversity. A Minnesota trucking company that had to pay ransomware in 2018 was struck again in early 2022. This time, though, they credited “quick action, training and cloud-based backups” with allowing them to resume 90% functionality quickly and avoid paying a ransom.
2. The human element: train users to recognize phishing attacks.** But try not to use “gotcha” training—phishing simulation programs that fool employees into clicking and make them feel incredibly stupid (and angry) for falling for the trick email. Gotcha training tends to embarrass people and doesn’t necessarily drive them to learn to recognize phishing emails. Instead, use effective training methods with measurable results, so you know that they are building users’ resistance to being attacked. In a Swiss study published in December 2021 of a simulated phishing program, crowd-sourced phishing detection was found effective and practical, while embedded phishing training did not increase security. 
3. Invest in reliable endpoint detection and response (EDR).*** If ransomware or other malware gets on a laptop, EDR will detect it and respond appropriately. What if a user forgets all their training and clicks on a phishing link? With EDR, their laptop detects that malware before it gets to your production environment. 
4. Use MFA.**** MFA is an additional strong defense in case a user clicks on a phishing email that would otherwise give attackers access. Almost half of all data breaches in the first half of 2022 began with stolen credentials. 
5. Look to your Compliance for assurance that your company is as secure as you think. Are your security controls working as you think they are? That’s where Compliance comes in—to validate that the controls you need are in place and effective. Did an engineer disable the EDR tool on their laptop? You should have a control that can tell you that and will disable the laptop until the EDR is re-enabled. 

The Way We Were

OK. It’s not a time travel movie. Still, the goal of cyber insurance is to get your company back in business as soon as possible in case of a cyberattack. But why not aim higher? Robust Security Compliance is a business’s best chance of getting cyber insurance, at better rates, without an exclusion for ransomware—while reducing the likelihood of being the victim of a cyberattack in the first place. Because really, you want that cyber insurance policy in case all your precautions fail--but wouldn’t you prefer to avoid having to collect on it, and facing the disruption of a ransomware attack? When your Compliance posture helps you prevent bad things from happening, you can live happily ever after.

‍

---------

*Compliance requirements around business continuity planning include:

• SOC 2 - CC7.5, CC9.1
• CIS - 11
• ISO 27701 - 6.14.1.2
• NIST CSF - ID.BE-5, PR.IP-9, RC.RP-1
• HIPAA - 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.310(b)GDPR - Art 32.1, Art 32.2

**Compliance requirements around security awareness training for phishing include:

• SOC 2 - CC1.1, CC1.4, CC1.5
• CSA CCM - HRS-01, HRS-02, HRS-03, HRS-04
• NIST 171 - NFO - PS-1
• NIST CSF - PR.IP-11
• PCI DSS 4.0 - 12.2, 12.2.1, 12.7, 12.7.1
• GDPR - Art 32.1, Art 32.2, Art 32.4

***Compliance requirements around EDR include:

• CSA CCM - UEM-07
• ISO 27701 - 6.9.6.2

****Compliance Requirements around MFA include:

• CIS - 6.3, 6.4
• CSA CCM - IAM-14
• ISO 27701 - 6.8.1.2
• NIST 171 - 3.5.3
• NIST CSF - PR.AC-7
• PCI 4.0 - 8.2.3, 8.4, 8.4.2, 8.4.3, 8.5.1
• NYDFS - 500.12