If the phrase “Great Scott!” in this blog’s title resonated with you, you might be a fan of the 1985 movie Back to the Future. It centered on Marty McFly and his pal, Doc Brown (the guy who shrieks “Great Scott” a lot, but it’s funny). Marty travels thirty years back to the past in Doc Brown’s time machine and spends the rest of the movie trying to get—yes—back to the future. See it if only for the gull-wing DeLorean, the most stylish way imaginable to travel through time.
Segue alert. Cyber insurance is a lot like a time machine. Ideally, it provides a reset, so that even if your organization suffers a breach, collecting on your cyber insurance policy gives you the chance to fix the damage and get back to business quickly. But while we avoid giving spoilers on this blog, sometimes, in the realms of time travel and cyber insurance, you don’t end up back where you started, not exactly. That’s all we’ll say about the movie. But cyber insurance: Why wouldn’t it be the perfect slate-cleaner? For one thing, getting a cyber insurance policy, and collecting on it, involves some hurdles. We’ll talk about them, and why a solid Compliance posture is essential whether or not you decide to purchase (or collect on) cyber insurance.
We’ve talked about risk before, but here’s a quick refresher. There are four main ways to respond to business risk, each with their pros and cons, and businesses generally use a mix of these approaches:
As cyber insurance payouts have soared, insurers have raised premiums—which increased by 53% globally in the third quarter of 2022. Insurers have also increased exclusions. In addition, insurers are imposing stricter underwriting requirements, demanding more evidence that an applicant for cyber insurance has strong security measures—and if not, an insurer may charge a higher premium, exclude ransomware and other events and items from the policy, or just turn down the applicant. And buying coverage against ransomware attacks doesn’t guarantee the insurer will pay up. The lack of proper controls can be fatal, as seen in the recent case of Travelers Property Casualty Company of America v. International Control Services, Inc. (No. 22-cv-2145). There, a policyholder’s multi-factor authentication (MFA) turned out to be incomplete, contrary to its statement on its application—thereby leaving the organization exposed to a known vulnerability which was exploited by a threat actor. The result: The policyholder could not collect. Finally, if a policyholder who suffers a ransomware attack does manage to collect, they won’t necessarily be compensated for the reputational hit.
The coverage gap is significant enough that the US Treasury Department is considering a national cyber insurance program as a backstop to cover “catastrophic” attacks that involve critical infrastructure.
But with cyberattacks becoming more frequent, severe, and expensive, cyber insurance remains an important element of loss recovery measures in case of a cyberattack.
If your organization wants to get cyber insurance, it should take certain steps to prepare for the process. Without getting mired in details, here’s an overview:
Your company should also consider the type and cost of the coverage it requires. Make sure your policy has enough coverage for your organization’s ever-changing needs. And at the risk of repetition, know exactly what your policy covers and excludes, including the triggers, limits, and conditions that affect coverage, to avoid unwelcome surprises later.
A company seeking cyber insurance can benefit from having strong Compliance. That may not seem obvious: Isn’t cyber insurance supposed to mean that you’re (mostly) covered when bad things happen? So why is Compliance still important?
The obvious answer: Whether it has cyber insurance or not, an organization that has adopted ISO, SOC 2, etc., will still need to show that it complies with those frameworks. But for a company seeking cyber insurance, a strong Compliance posture—one that reflects the presence of effective controls—can also do the following:
In fact, insurers are more frequently asking applicants whether and how frequently they undergo third party audits, including SOC reports and HITRUST certification.
Here are five Compliance-related recommendations that could help you get cyber insurance, as well as strengthen your defenses:
OK. It’s not a time travel movie. Still, the goal of cyber insurance is to get your company back in business as soon as possible in case of a cyberattack. But why not aim higher? Robust Security Compliance is a business’s best chance of getting cyber insurance, at better rates, without an exclusion for ransomware—while reducing the likelihood of being the victim of a cyberattack in the first place. Because really, you want that cyber insurance policy in case all your precautions fail--but wouldn’t you prefer to avoid having to collect on it, and facing the disruption of a ransomware attack? When your Compliance posture helps you prevent bad things from happening, you can live happily ever after.
---------
*Compliance requirements around business continuity planning include:
**Compliance requirements around security awareness training for phishing include:
***Compliance requirements around EDR include:
****Compliance Requirements around MFA include: