16 Jun Why your cyber insurance policy likely isn’t valid
Foreword
It may seem odd at first for a managed IT services provider (MSP) to be discussing insurance policies, given it’s not a service that we offer… however, the reality is our world and the services we supply overlap significantly and can profoundly affect the policies our clients are able to obtain and the validity of those policies.
Many clients look to managed IT services providers to take complete ownership of their IT requirements and act as a one-stop shop for support, management, consultancy and leadership.
As a provider, failing to address the fundamental cyber security policy requirements is unacceptable, and every MSP should be openly discussing cyber insurance with their clients.
Intro
In the current digital age, data breaches and cyber-attacks are becoming increasingly common. The ASD reported that businesses in 2022 saw a 13% increase in cybercrime from the previous financial year.
With the potential to result in severe financial losses, reputational damage, or even complete closure of business, the importance of adequate protection in cyber liability insurance has never been more critical.
However, many businesses are unaware that their policy might not provide them with the protection they assume. Those looking for a new policy are often surprised to hear they will be rejected without significant changes to their cyber security posture.
What is Cyber Insurance?
Cyber liability insurance is a specialised form of coverage designed to protect businesses from potential threats and risks in the digital space. It is intended to mitigate losses from various cyber incidents, including data breaches, business interruption, network damage, and cyber extortion.
This now-common insurance has seen significant adoption in Australia in recent years, with Marsh’s mid-market report from 2021 showing a 23% increase in policy adoption.
How is Cyber Insurance Different from Standard Business Insurance?
Unlike standard business insurance, which often focuses on physical assets and liabilities, cyber insurance is dedicated to the unique risks associated with a business’s online presence and digital data. These traditional insurance policies often exclude losses related to digital assets or those arising from cyber incidents, which many business owners are surprised to learn.
Cyber insurance addresses the modern, digital risks businesses face, including breaches of sensitive customer data, interruption of digital services, and even the potential reputational damage that can follow a significant incident.
What is Covered Under a Typical Cyber Insurance Policy?
While coverage varies by provider and policy, a typical cyber insurance policy may cover the costs associated with data recovery, notifying customers of a breach, legal fees, regulatory fines, public relations, and even the extortion demands associated with ransomware attacks.
Policies will also often cover first-party (your own) losses such as recovery costs for critical systems and extortion, as well as third-party (others’) losses, like those suffered by your customers or partners due to a breach in your system and claims against your business from affected clients.
Does Your Business Really Need Cyber Insurance?
The short answer is yes. With the increasing dependence on technology and data, virtually all businesses are vulnerable to cyber threats. Even if you have implemented robust security measures, no system is impervious to attacks.
The big question all business owners need to address is: how much time or money can the business afford to lose before we have to close shop?
What do I Need to do to Obtain Cyber Insurance?
Obtaining cyber insurance involves a thorough review of your current cybersecurity protocols and risk management procedures. Insurers will typically assess the strength of your firewalls, encryption, antivirus software, employee training programs, and disaster recovery plans.
While we aren’t recommending any specific brokers or providers in Australia, it is recommended to go through a broker who can help you navigate the process of obtaining a policy.
I Already Have a Policy… am I Covered?
While you might already have a policy, not all policies are created equal. There are often numerous exclusions, terms, and conditions that may result in denial of claims, such as failing to maintain a certain level of security or not reporting a breach in a timely manner.
What are the Most Common Causes for not Being Covered?
Lack of adequate cybersecurity measures is the primary reason for claim denial. Below are four common reasons why your policy may be invalid.
1) A lack of cybersecurity awareness training & simulated phishing
People are the number one vector for cyber-attacks. Implementing regular training and testing ensures employees understand the risks and what they can do to prevent an attack.
A leading security awareness training provider, KnowBe4, reported in March of 2023 that after 90 days of computer-based training and simulated phishing testing, the average link click risk was reduced reduced from from 37.9% to 14.1%.
After one year of monthly simulated phishing tests and regular training, the risk further declines to just 4.7%. Across all industries, there’s an average 87% improvement rate from baseline testing to 12 months of training and testing.
2) Inappropriate storage and handling of PII
PII (Personal Identifiable Information) refers to any data that can be used to identify an individual. This can include names, addresses, Tax Identification Number (TIN), email addresses, bank account details, and much more.
Many businesses do not handle PII as carefully as they should. Common missteps include not classifying PII correctly, storing it on unsecured systems, or transmitting it without proper encryption. Such practices significantly increase the risk of a data breach and are a major red flag for insurers.
Many cyber insurance policies have specific provisions related to PII. They may require that you adhere to certain security standards or regulatory guidelines regarding the collection, storage, and handling of PII. Failure to meet these requirements often results in your cyber insurance policy not providing coverage in the event of a data breach involving sensitive data.
For businesses that deal with PII (which is most), it is crucial to understand and follow best practices for handling it. This should include, at a minimum, encrypting PII, limiting access following a framework of least privilege, providing regular training to employees, maintaining a clear policy for PII handling and storage, and implementing modern solutions such Data Loss Prevention tools to detect when PII is stored or exists out of your environment.
3) Not enabling multi-factor authentication on all necessary systems
Multi-Factor Authentication (MFA) adds a vital extra layer of security to your systems. By requiring users to provide more than one method of verification – often something they know (like a password) and something they have (like a mobile device or a key fob) – MFA makes it significantly more difficult for unauthorised users to gain access.
However, despite its effectiveness, MFA is often not implemented comprehensively across all critical systems. Some businesses might enforce MFA on their email system but neglect it on other important platforms such as cloud storage, CRM, or financial systems. This inconsistent application of MFA can leave these less-protected systems vulnerable, becoming the weakest link in the cybersecurity chain.
Insurance providers are aware of these common gaps, and breaches caused through a laxed approach to MFA will often result in a breach of policy.
A more robust approach is to use a centralised authentication provider that allows MFA enforcement across all systems. This creates a unified, organisation-wide MFA policy, ensuring that there are no gaps in coverage.
One powerful strategy is to use Conditional Access policies in conjunction with MFA. Conditional Access policies can assess the risk of a user request based on several factors – such as the user’s location, device, and behaviour – and then decide whether to grant access, block access, or require additional authentication.
4) Not having or testing your backup and disaster recovery plans
A fundamental rule in disaster recovery is that backups are unproven until they have been fully tested…
As an MSP, we recoil in horror at the tails of businesses who religiously back up their data every night, only to try and restore years down the line and finding there’s nothing in their backup system, despite the years of success notifications. It’s something we’ve seen first-hand and the results can often mean business go under.
It goes without saying that a regularly tested backup and recovery process falls under the fundamental due diligence required to run a business. Failing to have and test your systems and processes will not just impact your ability to recover, but will invalidate any policy providing you with an additional safety net.
A common misconception is that data stored in cloud services like Google Workspace and Microsoft 365 are backed up by the provider. This is not the case, and providers themselves event recommend taking third party backups of your data.
How can I Check if I’m Covered?
Review your policy with a fine-tooth comb. Make sure you understand all exclusions and conditions, and assess your current cybersecurity measures against them. Consult with your insurance provider if you’re unsure.
If you are confident your policy is airtight, speak with your IT provider and ask them to do a once over of your policy and environment to make sure all areas are covered. It’s a common mis-conception that your IT provider knows what’s happening with your environment at every given second. While we try to be omnipotent, it’s practically impossible and configuration standards can drift over time.
A good IT services provider should be conducting regular standards audits and should be discussing with you on a regular basis about any significant changes made to your environment.
You can find out more about how Aus Advantage regularly audits client infrastructure as part of our standard managed support services, here.
In Summary
While cyber liability insurance undoubtedly holds a crucial role in risk management, it’s essential to remember that it’s only one piece of a much larger cybersecurity puzzle. Rather than viewing it as an isolated measure, it should be seen as a litmus test for the overall effectiveness of your IT provider.
Maintaining a comprehensive cyber insurance policy ensures that your IT provider is keeping your systems aligned with current best practices. It means they understand the evolving threat landscape and are taking the necessary steps to guard against it. They are not only protecting your digital assets but also ensuring that you have the financial backing to recover should a breach occur.
In short, while the primary purpose of cyber insurance is to provide financial protection in the event of a breach, its value extends far beyond that. It’s a barometer for your cybersecurity health, helping ensure that your defences are strong, up-to-date, and well-aligned with best practices. So, while you hope you never need to use it, investing in a robust cyber insurance policy is a wise move for every business.