In the classic movie, “The Wizard of Oz,” Dorothy and the Tin Man had to pass through the dark forest filled with lions and tigers and bears. It was a scary proposal — but a pretty catchy song. That walk through the dark forest is very similar to what organizations, large and small, are faced with inside the cyber domain.
The SolarWinds cyber-attack we talked about last week has an incredibly wide-ranging fallout. The theft of some of the world’s best penetration testing tools from FireEye has provided heavy artillery to the cyber-crime organization behind the attack. If the multinational corporations with their huge budgets are at risk, the small and medium businesses are even more so.
Technical controls like firewalls, access control lists, anti-virus, and monitoring will fail. Administrative policies and user training will fail. Despite your due diligence and best efforts, you will discover that you have been breached or you will receive a hefty ransomware demand. What is left to cover you? Insurance is the answer.
Because the cyber insurance industry is relatively young, there really is no standard industry cyber insurance coverage. Every carrier has their own spin on what they cover; oftentimes, that leaves gaps.
The good news is that your business may already have some coverage included in the business policy. You may have what some carriers call electronic data coverage. This only protects the loss of the company data and the cost to restore it. Some carriers even include a low ransomware limit. Another policy you may have is a crime policy. This covers your company if a hacker uses social engineering to convince an employee into sending a fraudulent wire transfer of funds.
That’s the good news. The bad news is, even if you have those policies, there are serious gaps that leave your organization open to high risks. You will have covered some first party risks — your data. You may still have third party risks — your customers. For instance, the healthcare industry is required by law to notify all of their patients for whom data has been lost. And if the loss exceeds 500 patients, they will need to broadcast over mass media. Furthermore, you may be required to implant an employee of the Office for Civil Rights at your office to oversee your future compliance.
Often a breach requires the company to provide identity theft protection, Crisis management during a breach costs money. Also, after a breach, there should be a forensic investigation to determine what happened, and how it could have been prevented. A breach is a public relations nightmare that needs to be fixed.
The expenses of a breach can add up. Try this cost calculator to get an idea of the basic costs of a breach – not including regulatory fines or lawsuits - https://bit.ly/2KvVmet. (Sidebar: Normally clicking on a bitly URL is not a good idea. We created this one to make it easier for our in-print readers to use.)
To give you an idea of the investigation and notification cost of a breach, with just 1,000 customer records, the cost is over $130,000. The good news is that the cost would be covered by the proper cyber insurance. Again, every carrier has their own programs. One national cyber insurance carrier breaks it up into three different policies, while several others combine into one package. Your cybersecurity provider may have insurance bundled with training (a requirement under HIPAA). With the pandemic of cyber-attacks recently, some cyber insurance carriers are requiring tougher standards in order to be eligible — for instance requiring two-factor authentication (a password AND a secret code texted to your phone) for remote workers and accessing cloud-based backups. These cyber insurance carriers are looking for businesses to perform due diligence and use industry best practices on their networks.
As we return to Oz, Dorothy and the Tin Man had a lion who protected them throughout the rest of the movie. Your insurance policy can be just the protection you need to get you through the dark forest of the cyber domain, so YOU can make it to Oz.
Co-written by Tom Jewkes and Dan Gavin, the cyber guys from CyberEye. An archive of past articles can be found at www.cybereyeaw.com/blog Contact us at gavin@cybereyeaw.com and tom@cybereyeaw.com