Dont Waste Your Money On Cyber Breach Insurance

  /     /     /  
Publicated : 22/11/2024   Category : security


Dont Waste Your Money On Cyber Breach Insurance


Special insurance may offer value, but to get it youll need to avoid common exclusions and stop trying to use a breach policy as a substitute for solid data security practices



As an increasing number of businesses are starting to look at cyber breach insurance as a tool to mitigate the risks of data breaches, IT security pros need to be prepared to help their organizations avoid the hazards of choosing a policy that may not pay out when the worst occurs.
Chief among the biggest pitfalls? Trying to use insurance as a financial replacement for investment in sound protection of databases and other data security infrastructure.
These insurance policies cant eliminate risk, they can only help you control and minimize it, says Rich Santalesa, senior counsel for Infolaw Group. Its really one arrow in the quiver of those dealing with todays cyber risks and some of the liabilities that can spring from them.
[Dont expect your general liability coverage to pay out for data breaches. See
Fluke DSW Win Shouldnt Erase Breach Insurance Needs
.]
Organizations that fail to encrypt sensitive data, that have few controls over who accesses database resources, and that do nothing to monitor activity within these data stores could be in for a rude awakening if they buy insurance as a stand-in for these practices. If legal or more traditional risk management personnel are under this misapprehension, it may be up to IT security pros to explain why, says Rich Mogull, analyst and CEO of Securosis.
I think what IT needs to explain to those guys is two things. One is it certainly isnt going to keep us out of the newspapers and from a financial standpoint, thats one of our greatest risks, Mogull says. And, two, thats not going to keep us from getting fined by, say, PCI.
And thats assuming youre going to get a payout anyway, he warns. If line-of-business and legal leaders unilaterally decide to get a breach policy without input from IT, they may miss exclusions in the policy that require a higher level of controls than what the organization currently has in place.
If the insurance people say You didnt analyze your logs enough, and then they dont have to pay, thats a problem, he says. That is absolutely an area that I think IT needs to be clear, to say, These are the standards that they expect of us and this is our current rate of compliance with what that would be required for a payout.
One of the difficulties in shopping for one of these policies is the fact that cyber insurance is so new and is like no other insurance, says John Nicholson, an IT sourcing, privacy and data security attorney based out of the Washington, D.C. area.
If you demonstrate that youre a really good driver, then your car insurance rates go down, he says. In the cyber world, its not quite there yet because people just dont know what those profiles are and how to accurately evaluate those levels of risk.
This greatly affects the variability of language within the range of different policies on the market, Santalesa says.
Policies are still all over the place and a lot of the underwriters are still wrestling with how to quantify these risks, especially with laws changing as frequently as they do, he says. So the short answer is it definitely provides value and predictability on limiting your liability and out-of-pocket cost, but it has to be entered in very carefully.
Because the insurance companies are themselves still taking baby steps into the market, the process of even just applying for one of these policies may actually provide one of the biggest parts of the breach insurance value proposition, Nicholson says.
So they dont get blindsided by something in their clients environments, the application process of these insurance policies is actually pretty extreme, he says. They actually force you to go through a rigorous process to evaluate and disclose your own cybersecurity practices. That exercise in and of itself is very valuable.
He warns enterprises to be wary of an insurer that doesnt require them to go through this thorough pre-screening process.
Theres work that goes into your cyber insurance policy, Nicholson says. If someone is offering you a cyber insurance policy that isnt requiring that kind of work? Well, there aint no such thing as a free lunch.
Within the potential policy itself, shoppers need to be wary of vague language about what triggers a payout or exclusions that allow the insurer to pin the liability back on the policy holder.
Look for anything that holds you to any kind of standard, Mogull warns. Theyre going to have all sorts of clauses in there that theyre not going to have to pay if you screw up.
For example, Santalesa says some breach policies may not cover incidents that occurred through the use of employee-owned devices.
So if youre going to have a BYOD program, it may be something that you need to address in your coverage, he says.
Similarly, a policy could exclude the insurer from liability if the breach was caused by a third party, Nicholson warns. In cases of outsourcing, the enterprise will need to compare its potential policy with the liability coverage offered by its contractors.
Youve got that interplay between your own coverage and whether or not it will cover you if your vendor loses data, and whether or not your vendor has its own insurance, he says.
Similarly, enterprises should be looking out for clauses that limit payout amounts or keep a tight rein over what the breached organization can use the insurance money to pay for. He warns organizations to pay very close attention to the financial limits and sub-limits associated with the policy.
You may think youve got a really big limit that will protect you, he says. But if youre not reading the fine print on what the sub-limits are within certain types of events or certain types of costs, thats where youre going to get tripped up.
One place where Nicholson sees a lot of companies not getting sufficient coverage is for crisis management costs.
A lot of policies are limiting those costs or dont cover them to the extent that companies actually incur them, he says.
Because looking for the right cyber insurer and negotiating for a beneficial policy is such a delicate process, Santalesa recommends that it be treated as a team exercise. The decision shouldnt be made by the business leaders or by legal or by IT executives alone--instead they need to combine forces he says. And for IT professionals part, they need to provide the role of technical translator.
The business people and legal people might not be as technically savvy, he says. IT definitely adds value to understanding what the risks are and then selecting the most well-tuned cyber policy.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Dont Waste Your Money On Cyber Breach Insurance