This article was originally published by Vivek Gupta and Chetan Sehgal, Partner and BDO Canada leader, Forensic Insurance Services and can be found on the BDO Canada website. This article has been republished here with permission.
For many organisations, cyber liability insurance provides critical protection from financial loss stemming from a cyber incident, from legal damages and business interruption, and crisis management and investigation expenses. As it’s a relatively new, evolving and very specialised type of insurance, businesses must exercise due diligence when shopping around for a new policy or looking to renew their coverage.
Five practical pointers
Below are five practical pointers for leaders when considering cyber insurance:
1. Hidden vulnerabilities typically come to light only after a successful attack. Conduct a risk assessment of your control environment and develop a prevention program — or work with a firm that can — to purchase the most appropriate plan for your needs. A cyber security and forensics partner like BDO can also conduct a cost-benefit analysis to identify your blind spots so you can focus your insurance coverage on those areas or, better yet, remove those blind spots prior to applying for insurance to avoid denial of coverage or high premiums.
Once you understand your control environment, you can request quotes from different underwriters to compare coverage options and conduct proper due diligence on not only the policy, but the insurance company.
2. Work with your insurance broker or underwriter to ensure the policy fits your type of business and that you’re fully aware of what’s covered and what’s not. Review various cyber insurance options, familiarise yourself with the policy and ask the right questions. We recommend you be mindful when selecting a policy to make sure it will apply to your situation. Work with experts who specialise in cyber insurance and have experience in your industry and geography to ensure you are getting the best possible advice.
3. Select a response team you trust. If you’ve had a breach, it’ll throw you into utter chaos as you try to be as operationally viable as you can. Dealing with an underwriter and other advisors you're comfortable with will make that process as smooth as possible. An effective response to a cyber incident is one that has been devised as part of contingency plan strategies and risk management. You need to have a team in place that can help you respond on short notice, including legal counsel, cyber breach professionals and claim consultants or accountants.
4. Take time to understand the policy fine print. Insurance policies aren’t created equal and with cyber insurance being a relatively new product, many buyers aren’t aware of the pitfalls associated with these policies. Some insurance companies will conduct an assessment before they provide you with a policy and premiums. You have to understand what you're signing up for and what your responsibilities are to protect yourself. As the loss ratios on cyber claims have skyrocketed in the past year, the amount insurers cover appears to be declining while premiums are rising.
5. Implement a comprehensive suite of cyber security controls and protections. Some clauses in insurance policies state that unless it can be determined an organisation had the right preventive controls in place, they will not issue a payout. Also, the more robust your controls are, the lower the risk of a breach and that's going to affect the premiums you pay.
Reactive and proactive cyber security measures working together
Above all, business leaders must not lose sight of the fact cyber liability insurance is a reactive solution and does not prevent an attack from happening. That's a serious gap — loss from cyber crime isn't just financial; it brings disruption to an organisation’s culture, operation and reputation.
That means insurance is only one piece of the cyber security stronghold.
Insurance is important because cyber attacks are happening more often, and it allows you to recoup some of your losses. However the bigger piece of it is prevention and addressing the root cause - plugging the holes in the potential for those attacks. You can't rewind if data is exposed.
Businesses that double down on developing a well-designed business network defence strategy, securing their endpoints and launching proactive detection and response mechanisms are better primed to recover with minimal damage.
How BDO can help you understand your cyber insurance needs
From quantifying the post-incident losses to proactively helping you understand the appropriate level of coverage, BDO can support your business throughout the insurance cycle.
We often get retained to deal with post-incident response, but our counsel doesn't stop there. Our cyber security and digital forensics team can help fortify your organisation using proactive tactics that include focusing on employee awareness and training, conducting due diligence on your company's preventive controls, and quantifying risk to help you ensure the cyber insurance policy you choose meets your needs.
The value of working with BDO includes:
- Cybersecurity starting at the core - to help you choose the most relevant cyber insurance policy, we identify your key data assets and test for application and infrastructure vulnerabilities. Focusing on the internal controls that help prevent cyber incidents from happening in the first place, we perform a cyber assessment of your digital environment and set achievable goals by developing an effective cyber security strategy.
- Round-the-clock cyber support — we know fraudsters, hackers and cybercriminals don't work a 9 to 5 schedule. Our professionals are available any time of day, all days of the week, to help your business rebound in the event of a cyber incident.
- Comprehensive services — with a vast team across various disciplines and areas of expertise, BDO has the ability to address collateral damage associated with a breach. Our legal support team, for example, can assist with data breach response and litigation.
- An applied approach to identify vulnerabilities — BDO can help you build or evaluate your company's incident response plan using techniques like ethical hacking simulation exercises and network penetration testing. Addressing the people component of cyber security, we can run phishing simulations to build employee detection skills and provide training on spotting and reporting suspected phishing attempts.