Back in the day, insurance companies didn’t understand what they were getting into when they started offering cyber liability insurance. They discovered an untapped market and thought they’d hit a motherlode of revenue. There weren’t a ton of breaches at the time, but certain organizations were willing to pay good money for insurance protection.
At the start, nearly anyone could be approved for a cyber liability policy simply by answering a few basic questions. Honestly, it would have been difficult to get your applications turned down. And for a while, it was a highly profitable venture for the insurance companies.
But as data breaches and cyberattacks increased, the insurance industry discovered that a large number of policyholders weren’t living up to their responsibilities to protect themselves. Suddenly, the prospect of offering cyber liability insurance was a very costly one for insurance companies. And that’s when things started to change.
The changes in cyber liability insurance have been swift, and many companies are still operating on assumptions that are now outdated. Perhaps your company is still relying on obsolete information, as well.
Let’s take a look at some of the myths and misunderstandings about cyber liability insurance in today’s environment — and what you should and shouldn’t expect from your cyber insurance policy.
Will Your Cyber Liability Insurance Really Cover You?
Insurance Can’t Replace a Compliance Program
If someone were to say to me, “Adam, you have two choices: One, you keep your cyber liability coverage. Two, you invest in maintaining a strong security and compliance program. Which of those two will you keep?” In a heartbeat, I would choose the second option, because it’s the security and compliance program that’s actually protecting the company.
If we were to get breached, insurance can give our company a bag of cash for cleaning up the massive mess we’ll need to deal with. And hopefully it’ll be enough money to keep us in business. But the damage a breach does to an organization in the aftermath of a cyberattack goes way beyond the financial. You can have all the insurance coverage you could possibly need and still watch your business dissolve as a result of a data breach.
Keeping a tight ship with a security and compliance program helps prevent the need for insurance in the first place. It protects every aspect of your business — including your reputation, customer retention, new sales, and more.
At the same time, it’s not an either/or scenario. I’m NOT saying that you shouldn’t have cyber liability insurance. TCT is covered by insurance, and we do not recommend neglecting the protection of your company in that way.
Think of your cyber liability insurance as your holy-moly emergency parachute. It’s the thing you deploy when you’ve already fallen out of the plane and it’s the only thing left that can save you. That’s how you should view your cyber liability insurance.
Your Cyber Insurance Questionnaire Matters. A Lot.
Historically speaking, the person designated to fill out insurance paperwork is typically in the Finance department. If that’s the case at your organization, stop it — immediately.
Why is that a problem? Because your CFO or accountant has limited visibility into the real security and compliance posture of the organization. I mentioned earlier that the questionnaires used to be a handful of questions. When the insurance companies woke up to reality they immediately started expanding their questionnaires, and they’re now a virtual diatribe of detailed inquiries surrounding the controls that an organization has in place.
The CFO can take their best shot at filling out the 60-page questionnaire from the insurance company, but they’re bound to guess wrong. More often than not they’ll respond in the affirmative, guessing that they must have such-and-such in place.
Even if they forward the paperwork to the IT department, IT may not know all of the correct answers, themselves. (As a general rule, IT professionals aren’t cybersecurity experts.)
Now, what happens if your company has an incident and makes a claim on the insurance policy with wrong answers on the questionnaire? One of the first things the insurance company will do is send in their experts. These experts will assist with conducting a forensic analysis to determine exactly what happened, where the problem lay, and how much data was compromised.
They’ll first review the cyber liability questionnaire and confirm that it accurately represents the organization’s actual cybersecurity practices. This is critical, because the policy will be null and void if it turns out that the company isn’t doing what it said it’s doing.
So when the wrong personnel fill out the insurance survey, you’re essentially paying for a policy you will never be capable of benefiting from. And you’re setting your organization up to be completely unshielded from financial ruin.
Straight talk to make compliance management suck less
Check out the TCT podcast
How Far Does Your Responsibility Extend?
Cyber insurance won’t cover organizations that don’t implement controls that provide coverage for the full extent of their data protection responsibilities. If your company is filling in the checkboxes but not maintaining the controls as indicated on your cyber insurance application, you won’t see a dime from your cyber liability coverage.
Many organizations think that if they outsource their IT or use a third party hosting company, they don’t have exposure because that third party is responsible for it.
The fact is, there are multiple realms of responsibility, and third party vendors only share a portion of it. The majority of responsibility is still on the client’s shoulders. It is also your responsibility to appropriately manage the cyber positioning of your vendors and maintain compliant vendors.
So it’s in your organization’s best interest to do that exercise underneath a security/compliance program to ensure that you clearly understand where all the boundary lines lie between the organization and your various vendors.
I can’t tell you how many companies I’ve personally seen that have third-party hosting and thought they could pass along 100% of their responsibility to the hosting provider, which is a completely false assumption.
Some organizations think that if they don’t store credit card information, medical records, or banking information, then they don’t have anything to protect. What these companies fail to understand is that there are gobs of companies that have had their butts handed to them very publicly (think of your organization’s name in lights on Google), where the only information involved in the data breach was names, addresses, emails, and phone numbers.
You don’t have to possess the keys to the kingdom to justify taking security seriously. If an attacker can get ahold of your customers’ names, addresses, emails, and phone numbers, that’s enough to put your company at risk of closing for good.
There’s also your intellectual property. It may be a patent. It could be a piece of software. It might be a stealth product that’s currently in development. If there’s something your competitors would love to get their hands on, or your customers are happy to pay for, then you have something that’s worth protecting.
You May Not Have the Coverage You Think You Have
A lot of organizations are under the misconception that anything in the cyber arena is covered by their general liability or professional liability insurance. That depends on what’s covered under those policies. When they get breached, they’re shocked to discover too late that they aren’t wholesale covered through other existing policies.
Have a clear, in-depth conversation with your insurance agent to be sure you understand exactly what is — and what isn’t — covered by your existing insurance policies.
Get Better Cyber Insurance Rates
The cost of cyber liability insurance has skyrocketed in recent years, and some companies might find it harder and harder to justify paying into their policies.
However, you might be able to gain a financial benefit by taking your cybersecurity stance seriously. Most companies that show a track record of due diligence can negotiate lower insurance premiums with their carriers.
If you have the proof of a strong compliance program, your company represents much less risk for the insurance agency. Less risk naturally justifies lower premiums.
If you’re already taking security and compliance seriously, review your insurance policy and see if you can negotiate lower payments with your carrier.
Don’t Get Caught Unprepared
As custodians of your and your customers’ sensitive information, you have a responsibility to invest in your cybersecurity and compliance program. Cyber liability insurance is no replacement for a seriously run security and compliance program — it’s just a last resort to keep your company alive if you’re unfortunately breached.
But if your company is operating under assumptions about cyber insurance that are no longer true, your organization could be at greater risk than you imagine. Review your policy and make sure your insurance questionnaire is being filled out accurately. Do your due diligence and don’t shift responsibilities to other parties.
Need help maintaining your compliance and navigating cyber liability questionnaires? TCT can provide the technologies and the consultants you need to keep your company safe.
Get your personalized demo
See what TCT Portal can do for your organization
