After reading yet another headline about cybercrime, you have decided to go out and purchase cyber liability insurance. Are you protected? The answer is “it depends.”
First of all, cyber liability insurance is only going to protect your business against financial losses. Depending on the extent of the incident, the embarrassment and bad publicity caused may not be recoverable and you may find yourself out of business in some cases. The cyber liability insurance policy can be helpful when clients, partners and others sue your business, and they will sue.
However, if the insurance carrier can show that you were negligent, it is likely that you will be out of luck as they may not pay a dime of the claim. Your business needs to be prepared to prove that reasonable diligence has been taken to prevent and respond to the cyber incident. But what is reasonable diligence?
As with many terms, “reasonable diligence” can have a commonly understood definition as well as a legal definition. Nothing in this post shall be construed as giving legal advice and I recommend anyone consult with a competent attorney on all legal matters. However, from a cyber security perspective, the following practices may help to demonstrate reasonable diligence:
- First and foremost, it is essential to have an Incident Response Plan. Instead of wondering “if” the business will ever suffer a cyber security incident, assume that it will and the question is one of “when” the breach will happen. For a great reference on incident response standards, See NIST 800-61 Rev 2.
- If there is an Incident Response Plan, has it been tested? If tested, will it be effective?
- Understand the incident life cycle:
- Prepare – Having an effective Plan
- Detect – This is an area where many businesses struggle to detect the incident before suffering substantial harm
- Contain – Limit the harm and implement and agile defense while still allowing the business to conduct operations
- Eradicate – Ensure that the threat is eliminated and removed
- Recover – Returning to normal business operations
- Lessons learned – How can the business make changes and improvements to prevent similar events in the future. What other areas in the incident life cycle can be improved upon?
- According to an RSA survey, less than 45% of businesses surveyed admitted to being able to quantify their cyber security risk. Has your business conducted a risk analysis and if so, is it documented?
- As part of the incident response plan, has the business identified the team members who will engage the plan? Some to consider:
- External experts. Has cost and availability been verified?
- Who are the line of business representatives? For smaller companies, this may be a short list. For larger companies, there may be many department heads, managers, etc. Does each member of the team understand their role and responsibilities?
- IT – Keep in mind that while IT is a key participant, most IT staff are not security professionals and are certainly not forensics experts.
- Who will handle communications? Both internal and external.
- Law enforcement
- Legal – It is a good practice to involve legal counsel in the testing of any incident response plan. While most lawyers will not ‘certify’ that a business has all the boxes checked, documenting and involving legal can help demonstrate reasonable diligence.
Purchasing cyber liability insurance is one of three ways to manage risk by transferring it to a third party. However, to be effective, reasonable diligence is necessary as the basket of risk cannot simply be tossed over the fence to the insurance carrier; the business retains some responsibility.
Is your business exercising reasonable diligence in its approach to cyber security? Why not schedule a free assessment with us and come away with a solid understanding of the risks your business faces as well as a crystal clear set of actions needed to address those risks before your business suffers substantial harm?