Insurance is a necessary expense
More than likely, you have at least one insurance policy―life, health, auto, etc. Especially in today’s litigious society, insurance is needed to protect us financially from unexpected events. Ignoring this critical protection can land uninsured individuals and businesses into bankruptcy.
Do an internet search, turn on your favorite news channel, or go to wherever you get your information, and you’ll likely hear about another data breach. Some recent ones come to mind: the Colonial Pipeline, Riviera Beach, Fla., Lake City, Fla., and the University of Utah. All ransomware victims.
So, why are many businesses refusing to carry cyber insurance to protect their companies? Some are against it mainly due to cost, while others are unaware that their present E&O and Business Owner Policies don’t protect them from cybercrime.
Cybercrime such as ransomware is on the rise and will not go away. Hackers target small and medium businesses because they typically do not have the protections that larger, better-funded corporations do.
Cyber insurance is a must for ALL businesses, no matter the size
Many see cyber insurance as an unnecessary expense ―a colossal mistake.
An example is the recent Colonial Pipeline breach. They paid a $5 million ransom to the hackers, most likely covered by cyber insurance. However, if they didn’t have a policy in place, Colonial would bear the total cost of the breach:
- The Ransome payment itself.
- Public relation expenses.
- Investigations to determine the scope and identify data that was exposed.
- Legal fees.
- Professional guidance on how to respond.
- Identity theft monitoring for affected individuals.
- Overtime for employees who must deal with the additional workload.
- The continued payment of employees who cannot work until systems are restored.
- Hiring a call center to deal with the call-in workload.
- Restoring data that was affected.
- Consultants and security experts to assist in all phases of the recovery.
And we’re just hitting the apparent costs that could arise from a breach―the above fees plus others not outlined here can easily be catastrophic, especially for smaller companies.
Cyber insurance should be non-negotiable
When you realize how high the threat is of a breach and that the risk relies on humans not making mistakes (all it takes is one wrong click), it should be obvious how important this type of coverage is. A cyber insurance policy should be as crucial to any business as health coverage is to an employee.
Most cybersecurity incidents like ransomware originate with a well-meaning employee falling for a phishing attack. All the sophisticated security hardware and software on the market today cannot give you 100% protection from a social engineer’s spear-phishing email to an unsuspecting employee. One errant click is all it takes!
Before you apply for cyber insurance, you need to prepare
OK, let’s be frank, insurance companies are not dummies. They’ve paid out millions in claims already. Insurance companies are not going to give you a cyber-protection policy just because you asked. You need to show them that your business is not a push-over.
Although every insurance company is slightly different, the list below are some common questions they may ask to assess whether they’ll give you a cyber-insurance policy.
- Have a cybersecurity program with ongoing employee awareness training and simulated phishing tests?
- Have Business Continuity and Disaster Recovery plans in place?
- Regularly perform full and incremental backups of business data?
- Perform test restores of your data?
- Enforce complex password protocols?
- Use Multi-factor Authentication (MFA)?
- Scan and filter incoming emails for malicious attachments and links?
- Require Sender Policy Framework on incoming emails?
- Have a formalized patch management program?
- Use malware and endpoint protection?
- Enforce automatic updates of anti-virus and anti-malware solutions?
- Operate on the least-privilege model?
- Use web filtering in place to block malicious sites?
- Utilize EDR, SIEM, and SOC for 24/7/365 network protection?
What to do if you cannot respond “Yes” to the cyber insurance questions above
If you cannot answer “Yes” to all of the above questions, then you probably do not have your own internal IT department. In this case, the very first thing you must do to protect your business is to sign on with a security-minded Managed IT Services Provider (MSP). But not just any MSP!
A good MSP will perform a FREE assessment of your network BEFORE giving you a quote. Don’t accept a one-page letter with prices either. Instead, you should receive a multi-page, detailed document analyzing your network, showing you the good and bad and how they’ll fix the problems they found.
The written assessment should be yours to keep even if you don’t select them. If the vendor balks at this, run away!
Before you sign with an MSP, review their assessment with them and make sure that after implementing their suggestions, you’ll be able to answer the above questions with a “Yes.” Again, if not―find another vendor. Your business is too important to put it in the hands of a vendor incapable of delivering a well-rounded cybersecurity program.
Afterward, shop around and get your business a comprehensive cyber insurance policy.
Cyber insurance is an essential part of business today. Every business, regardless of size, needs it. Without cyber insurance, one wrong click can cost you thousands, even millions depending on your size and the severity of the breach.
In conclusion, get a robust cybersecurity program in place, have your network monitored and maintained by a good, security-minded MSP, and get a cyber insurance policy. Stay safe.
XSolutions is an IT Services Provider serving New York (NY), New Jersey (NJ), and Connecticut (CT). We provide Managed IT Services | Managed IT Security | Backup & Disaster Recovery| Cloud Data Protection. Call (845) 362-9675 for a free consultation.