Year after year, we are seeing the expansion of applications for Cyber Insurance. As the underwriters become more versed in the technical attributes of infrastructure security, they naturally have more questions. Often these questions lead to variables that will affect your premium based on your answer. At times the responses to your answers could double your premium or deny you access to certain riders.
We are also seeing the fragmentation of the Cyber policy into subsets like loss of use due to ransomware, ransomware payout, equipment replacement, recovery expertise, legal fees and more. Add the Washington DC order to not pay ransomware, and you could find yourself wondering…” what should I be focusing on???”
A balanced approach to HIPAA guidelines that weighs company risks vs the cost of insurance might be more beneficial to your IT team based on their capabilities and skill sets. After all, it does not make sense to pay $30,000 per year for insurance on a car worth $30,000, this may be a better way of looking at risk.
The basics are often overlooked but could be your saving grace when it comes to the potential for fines and losses and these basics are generally ignored because of impacts to the workplace. Whether or not you have a Managed Service Provider delivering IT Services or your own staff, often you see hardware or software placed upstream to protect data and deliver as little impact as possible to workflow, but this is not enough.
Many breaches come from a trusted account therefore circumventing all efforts placed at the edge of your environment. Breach liability is often calculated on the breadth of the breach and the governance placed onto your infrastructure to prevent such breaches. These things can range from change control management and documentation to segmentation of critical devices from lower security networks.
Your approach to Cybersecurity and liability coverage should be a balanced one which considers the IT Security stance within your company and the financial impacts of a breach. You could have the largest breach in history and still come out relatively unscathed because of the diligence performed by your IT staff and following the guidelines set by NIST\OCR!
Edward Dibeler
Principal
Puma Telecommunications