We know a nonprofit that paid $2,500 for a cyber insurance policy a little more than two years ago. When they were breached, the insurer paid out the $50,000 lost because of downtime and unrecoverable software and data. The money was essential aid when it was most needed. Isn’t that the point of getting any kind of insurance?
Unfortunately, suffering a breach can deem you a risk for insurance companies, marking you as negligent and costly. Unless you can prove you’re taking steps to heighten security, you could easily be in danger of losing your cyber policy.
Cyber policies are a financial safety net against breaches
It’s estimated 60% of businesses will close after being hit with a cyberattack. Downtime alone during an attack costs, on average, $46,800. Many businesses don’t have this kind of cash on hand. Cyber insurance is a low-cost way to build in a safety net for your business when you need it most.
5 Tips to Get (and Keep!) Cyber Insurance
A cyber policy is a great deal – if you can keep it. Here are our 5 tips for getting and keeping a cyber insurance policy.
1. Be aware: innocent mistakes will cost you
We see it time and again when we review responses to cyber insurance questionnaires. People think they have more security measures in place than they do. You can’t misrepresent anything on your application. Even if it’s a mistake, a wrong answer is a reason for the insurer to deny you coverage. Before submitting your form, ask your IT expert to go over it with you and ensure everything is accurate.
2. Explain your answers
Many of the measures cyber insurance companies ask about in their questionnaires are low-cost and widely available – like multifactor authentication. But, again, people typically don’t know what cyber tools they have in place. As part of our review process, we set aside time to write out explanations for what you are or aren’t doing. For instance, you might not have a cyber incident response plan, but you can create one. Instead of answering “No,” the answer is “No, but we’re working with our IT partner to review our systems and document the steps we will take if a breach occurs. We will have a plan in place by the end of the month.”
When you’re detailed, it improves your chances of getting insurance and shows how seriously you take cybersecurity. If you are denied, it will also point to what you need to be able to definitively say “Yes” to before applying again.
3. Offer extra information
You can provide more information than what’s asked for. Organizations that take extra precautions should document these steps in their application. Highlighting the other steps you’re taking is another way to prove to the insurer you’re taking as many steps as possible to mitigate cyber risk.
4. Prove your third-party partners are secure
Assuming you’re secure because you tick all the boxes internally is the second mistake you need to avoid. You have to evaluate your third-party partners too. Any vendor or partner you work with who can access your systems has to be compliant with all regulations you adhere to. Otherwise, you aren’t compliant because a criminal who breaks into your vendor’s system can then access yours. This is how Target was hacked in 2013 and represents a growing risk for everyone from small businesses to large enterprises.
5. Have a plan in case you’re breached
Knowing how you’ll handle a breach is a general best practice we recommend to all our clients. It’s doubly important for organizations seeking cyber policies. If you’ve already been breached, consult an IT expert to determine where holes exist and make a remediation plan. In the plan, state how you’re addressing what caused the breach and the tools you’re using to improve security. You’ll present this to your current carrier or one when you apply for a policy.
Whether you get coverage or not, this plan becomes your best chance of surviving any hacking incident. Back your plan up with IT support from cybersecurity experts.
How DiamondIT Works with Clients Who Apply For and Keep Cyber Insurance
After the nonprofit we mentioned above was breached, we started working together. We outlined a remediation plan, which includes SecureCentric layered security and robust backups. The carrier is reviewing the plan and will possibly pay for the recommended tools because the steps can prevent breaches and will reduce risks. If the carrier rejects the plan, the nonprofit has a document to show other insurers as they look for a new policy. The plan becomes even more important if no carriers are willing to take on the nonprofit. Without an insurance safety net, the nonprofit is entirely dependent on cybersecurity tools to keep out criminals and stay operational.
Are You Insurable?
We can help you put the right tools in place to protect your clients and business and preserve your insurability. Contact us today. We’ll review your current policy and assess your answers on your application, keeping you safe and insurable. Call us right now: (877) 716-8324.