CLOSING ENTRY: Making good policies

Listen to this article

Cyberattacks against all kinds of companies are on the rise. And according to some estimates, both small and medium-sized businesses are at risk as hackers can penetrate 93% of them. In addition to stepping up cyber defenses, companies are increasingly looking into cyber insurance that may cover the blow of ransomware and other attacks.

However, insurers are getting anxious about providing such coverage. Last year insurance giant AXA announced it would no longer provide support for ransom payments made to hackers. Other insurers are also being more careful about writing new policies or even renewing existing ones. But businesses can take some steps to increase the odds of qualifying for this critical coverage.

This issue should not be ignored, and it is not just about covering ransomware. In one case, a business’ employee inadvertently transmitted a virus to customers and suppliers — and the company was sued for more than $3 million for failing to contain the virus. Elsewhere, an email that appeared to be from a long-standing vendor directed a company to update banking information for their account. The company did so, and more than $200,000 was misdirected to the fraudster.

Beyond liability protection

Depending on how it is written, a cyber-insurance policy may offer more than just liability protection — so it is important to carefully review the new or existing policies. It may cover legal costs as well as costs for forensic analysis, data restoration, and communications related to the breach. But even before the AXA pullback, many cyber insurance companies were already asking for more from the companies they insured. Some insurers require policyholders to complete certain basic security steps while others charge a coinsurance or limit payment to a percentage of the loss incurred.

Although a layered approach is the best cyber defense that will meet insurer requirements, where do you start and where do you stop? At a minimum, insurers often want clients to document the presence of a significant first line of defense like multi-factor authentication (MFA). Instead of relying on a single password, MFA-protected email or other systems will require at least two verification methods to establish identity. It could require a password and a verification text sent to a cellphone.

Additionally, as part of their deliberations, insurers will often evaluate the entire operations of a company — and a business may benefit by anticipating this sort of scrutiny. Conducting your own review before applying for renewal or a first-time policy is a good starting point. Take a close look at your company and understand the potential risks of the business.

Here are a few questions you may ask yourselves for self-evaluation:

• Does your company acquire and process personally identifiable information like Social Security numbers or medical records? If so, do you have appropriate security measures in place, and are you compliant with regulatory requirements?
• Do you have an extensive remote workforce? If so, are they using secured computers with the latest anti-virus and other defenses installed? Do the desktops and laptops include MFA and is the data stored on them encrypted? Are they (and any software installed on the units) configured to automatically install manufacturer patches or other updates?
• Does your organization have rules about how the devices are used — so a work-issued device will not be used to log on to MMO (massively multiplayer online) games, which are often hotbeds of viruses and other threats? And are such restrictions monitored and enforced?

Access is another often-overlooked security issue. Sensitive data should be segregated and only accessible on a need-to-know basis. The sales department, for example, should not have access to bank accounts, R&D or accounting files.

Layered approach

An insurer will also want to know whether a business has plans in place in the event of a breach. Are you backing up files consistently and then isolating the backups so they will not be corrupted or infected by a cyber-breach? And do you have written guidelines for these and other procedures?

How about training? Like DEI and other issues, businesses should have formal training sessions two or three times a year for employees — and it should follow with testing. Your managed service provider may provide this kind of customized training and follow it up with email and other testing methods to identify whether employees are clicking on unsafe links or engaging in other risky cyber behavior.

Additionally, your insurer will likely question your company’s activities across operations. So, as you review your company’s policies and procedures, it is good to get input from multiple departments, including accounting, IT, the shop floor manager (for a manufacturer), and other employees.

Companies that review their operations early, well before they apply for a policy or a renewal, will be in a better position when it’s time to negotiate the terms and pricing of the coverage. And study the terms carefully — your managed services provider may be able to steer you to an analyst — since an unnoticed gap or shortfall in coverage can leave a company hanging after a cyber breach.

No one plans to be targeted by a cybercriminal, but the sad truth is that it’s not a matter of whether a company will suffer a breach but rather when it will be. Companies that plan carefully and have a coordinated defense system in place — with good insurance coverage as a backup — are more likely to be able to mitigate any damages.

Carl Mazzanti is the president of eMazzanti Technologies, a firm that specializes in cybersecurity in New Jersey.