More Businesses are recognizing the need for Cyber Insurance as part of an overall security strategy. Here are some key points to consider when Purchasing, and Relying on a Policy.
1. If Your Organization Doesn’t Already Have Cyber Insurance, It Will
Organizations are increasingly investing in Cyber Insurance simply because they have no choice. Clients are insisting their partners have insurance for compliance purposes and regulatory requirements. More and more, having cyber insurance is part of contractual requirements.
For smaller organizations that have not put a strong security program in place, cyber insurance is critical and makes financial sense.
Typical costs for cyber insurance are currently extremely reasonable. If you’re a CISO and you have a breach, what do you want to say?; ‘Whoops, sorry?’ Or, ‘We have a partner, let’s file a claim.’
2. Insurance Coverage Is Not a Substitution for a Security Program
Just like you wouldn’t drive recklessly in a car simply because you have auto insurance, Cyber Insurance should not serve as reasoning to tailor back on investing in security strategy and tools. Under no circumstances should a business purchase Cyber Insurance and assume it is covered without putting the time and investment into a solid security program.
While Cyber Insurance may reimburse costs, it cannot mitigate the reputational damage incurred by a breach or a security incident. Insurance will not reinstate trust from clients and customers post-breach.
3. Security Should Get Involved Early in the Insurance Process
While the conversation about insurance is often being led in other financial divisions of a company, such as at the CFO level, the security department should be involved at the outset to help evaluate policies and coverage levels.
Security staff or the CISO will understand the technical language and definitions in a way that others less tech-savvy and risk-informed cannot. Security is also more qualified to identify important exclusions that may be slipped into the policy and can advise accordingly. In order to ensure the policy has the right inclusions for your specific organization’s needs, security needs to be consulted on each step of the evaluation and purchasing process.
4. Ensure the Requirements of a Policy Are Fulfilled So Your Coverage Won’t Be Nullified
You’ve got a policy and now you’re covered, right? Think again. You are obligated to fulfil and have in place a number of requirements in order for that policy to cover you in the event of a breach or other security incident.
This brings us back to the importance of security’s involvement in the process and a thorough understanding of both the coverage and the policy details. What does your organization need to have in place that it may be overlooking? If the policy requires it, you will be out of luck on coverage in the event of a breach if you haven’t made the proper accommodations.
5. Some Elements of Your Incident Response Plan May Need to Change
Certain steps in an incident response plan may need to be tweaked once a Cyber Insurance policy is in place. This will include your breach reporting timeline because, as almost all policies have requirements about timely reporting.
Secondly, it is critical to develop your IT plan prior to having to use it – and test it out. While many organizations have an incident response plan in theory, a considerable number have not actually put it to the test. Are you sure yours is up to the challenge if a breach occurs?
For the full article by darkreading, please click here