As the liability associated with data breaches is rolling “downhill” to smaller companies and vendors that provide other business services, the need for cyber insurance is becoming more important. However, paying attention to the details is crucial to understanding what kind of insurance an organization requires and under what circumstances reimbursement is declined.
In a recent blog post we reviewed the FTC’s role in data privacy regulations and governance, and the importance of understanding what are considered to be “reasonable” measures to have in place in order to prevent data breaches. This is critical to mitigate liability and minimize related damages.
One of the easiest ways to minimize damage from a data breach is to obtain cyber security insurance. While these types of policies have been available for some time, it is only recently that the industry has started to see payouts. Why? Organizations weren’t fully able to adequately prove that they were adhering to fine print the policies required.
In this blog, we review the main questions to ask prior to obtaining cyber insurance, and how CSPi security solutions can give you the compliance evidence you may need.
Cyber insurance provides financial protection
There is no silver bullet to protect companies of any size from data breaches.
Yet because cybersecurity risks are typically outside the coverage of traditional commercial liability policies or not specifically defined and thus prone to delays and outright coverage denials, cyber-insurance provides critical coverage for risk-averse businesses for which network and data services are their lifeblood.
Cyber insurance coverage typically includes first-party coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks. It indemnifies companies for losses to others caused by errors and omissions and failure to safeguard data, and provides key benefits including regular security audits, post-incident public relations support, investigative expense reimbursement, and criminal reward funding. For vendors that are providing business services, a policy will often specify that that vendor certifies that it has cyber insurance coverage or it may be required that they are listed as an additional insured.
What to know about cyber insurance
As with any insurance policy, reading the fine print is very important to understand what cyber-insurance covers and what your obligations are — not only to qualify for a policy but to be approved for payouts. The following is a list of questions any company should keep in mind as it engages in conversations and evaluates various types of cyber liability insurance policies:
- What type of data is covered?
- Depending upon the business it may be necessary to cover different types including PII, PHI, PCI
- Does it matter where the data is stored?
- With the proliferation of cloud storage organizations need to be aware that the location of data, such as onsite or a third-party data center, may impact coverage.
- What is the trigger of coverage?
- In other words, when does the clock start ticking – is it when the insurance claim is made, when not only the claim is made but when the data breach is reported, or when the actual breach occurs.
- What exactly is the cyber insurance coverage?
- Here are where the nitty-gritty details fall and the most crucial to understand, items to look for include:
- Prior acts
- Third parties
- Hardware replacement
- Software upgrades
- Bodily injury
- PCI fines
- Reputation damage
- Unauthorized disclosure
- Unauthorized acquisition of data by a third party
- Compromised data
- Defense costs
- Crises management
- Does loss of business require a complete suspension of business operations, or is any interruption in business operations sufficient?
- Does the policy cover lost profits?
Be aware that there are some easily overlooked boilerplate exclusions of coverage that can be triggered by specific circumstances. For example, some policies have provisions of exclusion if the covered company breaks federal or state statutes, including data privacy regulation — meaning if your company is not in compliance the cyber insurance company is not required to pay.
It’s also important to remember that obtaining cyber insurance still does not let companies off the hook from installing security tools and solutions or maintaining breach response processes. Cyber insurance companies heavily scrutinize both the language of the policy as well as what security measures were taken to attempt to prevent the breach.
Protecting your protection with CSPi
Cyber insurance is meant to be financial protection, but as pointed out without the ability to prove adherence to all the measures in the policy – like you have taken reasonable care to prevent a breach, that you are complying to data privacy regulations and be able to note what data, if any, was impacted. Which is why CSPi security solutions give organizations a simple approach to satisfy the reporting and notification requirements associated with cyber insurance. Using CSPi Myricom nVoy solutions, organizations can easily isolate and monitor their identified PII/PHI data, at the same time the nVoy solution also records all the data that is moving between devices. As an organizations’ firewall issues intrusion alerts, the nVoy AIR application compares those against your identified PII data upon verifying a breach. Our nVoy solution automatically notifies and provides detailed reporting identifying the exact data impacted.
With the use of the nVoy solution, organizations can easily demonstrate:
- Where their PII data is stored, no matter whether it is on- or off-premises
- What and when devices accessed that data
- What records, if any, were compromised
With the addition of CSPi’s ARIA SDS platform, organizations can go so far as to encrypt their PII/PHI data, making it unreadable to hackers. This way, when the inevitable breach does occur, it becomes irrelevant, as there is minimal impact.
One of the biggest concerns is when hackers steal the license keys needed to access the applications that house and or use critical data. This scenario gives hackers “the keys to the kingdom” and allows them to move freely throughout the network and cause extreme harm. Our ARIA platform addresses this by also acting as a secure key management and storage location. Instead of the license keys being stored on a server (which can be hacked), the encrypted keys reside on a network adapter which pairs seamlessly with ARIA.
Using CSPi security solutions, organizations have the protection and reporting needed to not only take immediate steps during a breach, but to avoid breach damage and certainly meet data privacy regulations and cyber insurance policies.
Interested in learning more, and what makes CSPi solutions different? Download our white paper, “How to Secure DevOps Across Any Environment,” view any one of our on-demand webinars, or contact us today.