What your business should know about its cyber insurance policy
So, your business is discussing its cybersecurity strategy and, more specifically, its cyber insurance policy. You don’t want to find out your business has the wrong coverage or IT solutions after the damage has been done. This proactive approach will help get you on the right path toward safeguarding your business. But where should you start?
Before we dive in, we must note that our expertise is on the IT side of things, not the insurance side. The article and the assessment we provide below are resources for you and your insurance agent/provider, not us. We are not offering any insurance or legal advice.
We also need to say that while having cyber insurance is important, it is just one piece of the puzzle. We recommend that your business have a full cybersecurity stack in addition to insurance. Insurance without the solutions, or vice versa, may leave you vulnerable to cyberattacks or liable for damages.
Now, let’s walk through what cybersecurity insurance is, some resources that can assist you and how an MSP can help.
What is cybersecurity insurance?
Cybersecurity insurance (sometimes called cyber liability insurance) is intended to help businesses recover damages suffered during a cybersecurity incident. This can include the cost of recovering data, lost income and fines, among many other things. However, cyber insurance can only be one piece of your cybersecurity strategy.
According to a study by CYE on 101 cyber breaches across different business sectors, about three-quarters of breaches were not covered by cyber insurance.
Now, we don’t say this to scare you away from cyber insurance. Still, it should highlight the fact that proper cybersecurity measures should be taken in addition to your cyber insurance policy, not in place of it. As new threats evolve, it’s important to do all we can to prevent the attacks in the first place.
To avoid getting blindsided, you want to better understand your cybersecurity policies and what you’re being protected against. Here are some ways you can assess what you have and what you’ll need.
Cybersecurity Policy Assessment
A cyber insurance policy assessment helps you gain a better overview of your business's policy and what it covers. The policy assessment should be completed with your insurance carrier or agent, as they can provide the proper expertise. We’ve provided a brief overview of one of these assessments below, or you can download our free assessment here:
Once you have a better understanding of your policy, what it covers and what cybersecurity infrastructure you need to have in place, you’ll be ready to talk with an MSP and let them know what you need.
Understanding your policy and your organization
Here’s an overview of the assessment and some context on what will be relevant to your MSP.
High-level cyber insurance policy information
- Is it separate from your base policy?
- Do you have a compliance program?
- When was the last time you reviewed it?
What type of sensitive information does your organization handle, process or store?
As more of our work and data moves online and to devices, securing that data remains just as important. It’s no different than keeping an important file cabinet locked up. Here are some examples of data that needs to be protected:
Protected Health Information (PHI) | Financial Information | Intellectual Property |
Employee Data | Customer Data | Student Records |
Legal Documents | Corporate Data | IT Security Data |
Talk with your MSP or IT partner about the data you need to protect. A good partner will be able to follow best practices to secure the data and help you stay compliant.
In this section of the assessment, you and your insurance advisor will also be asked what type of first—and third-party coverage you have and any policy exclusions.
Properly Implemented Cybersecurity Measures
The assessment wraps up with some self-assessment questions:
- Do your policy and service conditions align with your business needs?
- Have you implemented what you’ve attested to?
Speaking from an IT perspective, you’ll want to confirm that last question with your IT partner. Who manages policies or procedures like multi-factor authentication (MFA) or strong password management? Are the policies being properly enforced?
It’s crucial that the items you attested to are actually being implemented and managed across the board. The last thing you want to do is unknowingly attest to something that isn’t turned on or something that is turned on but isn’t properly managed.
Gaps like these can leave businesses vulnerable and searching for answers. You and all your coworkers might use MFA every time you log on, but all it takes is one employee in bypass mode (which essentially means MFA is turned off for them) to allow a breach.
Completing other forms or applications
If you’re still wondering more about cyber insurance and the process, Travelers Insurance has resources on its website that can give you an idea of what some of these forms and applications look like and some of the questions you’ll be asked.
Next Steps with Your MSP
Once you’ve met with your insurance advisor and completed the assessment, you can return to the MSP with clear answers on what cybersecurity measures are needed for your business.