This story originally appeared in Buffalo Business First’s Leadership Trust.
With digital threats on the rise, more businesses are viewing cybersecurity insurance as a priority or a necessity — not just something that’s nice to have. It’s especially become more important in a post-Covid business world.
Still, a cyber insurance policy is just a starting point to protect your business. There are certain expectations these insurers look for businesses to meet to avoid claims being denied.
Almost all cyber insurance policies have exclusion clauses.
Under certain circumstances, cyber insurance policies will not cover all liability for your business. You should be aware of these common exclusion clauses, which include:
• Employees acting outside the scope of their work.
• Wide-spread digital viruses impacting many businesses.
• Regulatory and legal challenges and related penalties.
• Physical damage to company property.
Cyber insurers may deny a claim if they find “a failure to maintain” or “failure to follow,” both the online version of negligence, certain minimum-security standards and practices as outlined in the insurance policy.
So, understanding the exclusions, what steps can you take now to meet your company’s requirements for cyber insurance?
How can you show a standard of care in cybersecurity?
Insurance companies want proof that your business is taking proper precautions to prevent cyberattacks. And if you haven’t taken the necessary steps to protect your company’s digital infrastructure, there’s no guarantee your insurance claim will be granted.
Here are some steps you can take to prevent the chances of a cyber insurance claim denial:
Step 1: Map out your company’s entire technology landscape so the insurer can understand the scope of your digital presence. It’s a good practice to document everything you hope to cover under cyber insurance.
Step 2: Show your insurance carrier the proactive protection tools you have in place. And if you don’t already have them, consider implementing endpoint detection and response (EDR) or managed detection and response (MDR). Relying on antivirus software is unlikely to satisfy your insurance provider.
Step 3: Show the insurance carrier the steps you’ve taken to protect your supply chain. In 2013, retailer Target was infiltrated by a security breach through their HVAC vendor. Forty million debit and credit card records belonging to Target’s customers were compromised, and the breach was estimated to cost over $200 million. The connections between businesses and their vendors remain a risk, and many companies are requiring their suppliers to show proof that cybersecurity protocols and insurance are in place.
Step 4: Show that you’re training your employees to follow cybersecurity protocols. Human behavior is the highest cybersecurity risk, and insurers will want to know what programs you have put in place to reduce that threat. Password policies, device management policies and education on how to avoid malicious links are some ways to avoid the top causes of cybersecurity breaches.
Want to learn more about establishing your business’s cybersecurity protocols? Watch our Live With Lighthouse episode with Jessica Copeland, member at Bond, Schoeneck & King PLLC and chair of the firm’s cybersecurity and data privacy practice, to learn more about the standard of care required.
What technology tools should you have in place?
In addition to those already mentioned, insurers will look for:
• Encryption software
• Multi-factor authentication software
• Device security solutions like virtual private networks (VPN)
• An established data backup process
• Documented policies for how your company will respond to cybersecurity incidents and breaches
And remember, cyber insurance evolves over time. As work culture has shifted to more remote and hybrid work environments, insurers are constantly reviewing their cyber insurance requirements to account for new risks. We’re currently seeing a major shift in the cost and requirements of cyber insurance policies. What was once covered under a cyber insurance policy may be declined a year later.
Overall, the best way to prevent a cyber insurance claim denial is to take action and ensure you have the right tools, trainings and procedures in place to protect yourself from cybercrime.