By: Dan Reith BA(Hons) CAIB
Reith & Associates Insurance and Financial Services Limited
Do You Have Adequate Cyber Insurance?
Given the number of variables, picking a cyber insurance policy can be a difficult task. Furthermore, while an organization may think it is protected by its current policy, new developments in cyber security and ventures by the organization itself may make those policies inadequate. Worst still, most, over 80% of Canadian small-medium enterprises fail to carry cyber insurance. Consider the following when creating or reviewing your existing cyber insurance plan.
Assess Your Unique Cyber Risks
Such as with any other liability policy, it’s important to understand the specifics of your cyber risks before picking a cyber liability policy. There is no one-size-fits-all, so asses your business needs to understand the best cyber insurance for you.
The following factors are some examples of what defines your organization’s distinct cyber risks:
- The type of data your organization stores
- How and what type of data is shared with business partners
- Types of communication systems used and their level of security
Know What Policies Are Available and What They Cover
Cyber insurance policies may vary significantly due to the absence of market standardization. While most policies provide first-party and third-party coverage, the details of what is covered can vary across policies. First-party coverage typically includes data breach response costs and business interruption costs that result from network failures, data breaches or ransomware attacks. Third-party coverage typically includes coverage for the costs associated with responding to regulatory investigations and indemnification for regulatory fines or penalties. Take a close look at the terms and coverage offered in each policy for what most closely aligns with your unique cyber risks.
Know Your Responsibilities
Closely examine your selected plan to know your responsibilities, such as who to notify if there has been a breach. For example, a data breach that has been recently discovered might have, in fact, been compromised for years, requiring a retroactive cyber insurance plan. Understanding these requirements and what needs to be reported can be the difference between being covered and not being covered at all. Work these requirements into your organization’s incident response plan to ensure they are followed.
The Atypical Devices That May Be Vulnerable to Cyber Attacks
Increasingly more non-computing devices, such as equipment sensors, industrial control systems and teleconferencing equipment are being connected to global computer networks. Unfortunately, many of these devices are typically not held up to the same cyber security standards, therefore adding an additional vulnerability through which cyber criminals may be able to gain access to your organization’s valuable data or manipulate critical systems.
The Internet of Things
The internet of things (IoT) refers to the connection of web-enabled devices that are connected to each other in a network to exchange information. While this provides many benefits, such as reducing the need to input the same data into multiple systems and gathering data from different sources to be analyzed and used in a centralized location, there are risks associated with it.
For example, if a single device is compromised in a cyber attack, the data from all connected devices and even the devices themselves could be compromised. As such, all it takes for an outsider to gain access to sensitive information is to identify the device with the weakest cyber security that also has access to the network.
Securing IoT Devices
When looking to purchase and connect new devices to the IoT, ensure that there are plans and policies in place to minimize the chances of a cyber threat against those devices. Conduct a sweep of your organization to identify electronic devices and determine if each one is connected to a network that could be exposed to a cyber event, as well as what kind of data those devices are sending and receiving. Keep in mind that even seemingly mundane systems or devices such as heating, ventilation and air conditioning units could be running basic computer operating systems with the potential to connect to the internet. Track these devices by creating an asset map that lists the connected devices.
From here, you can start planning how to secure the devices that pose the largest threat of cyber exposure. Segment the network so that not every device provides access to the entire system, check for security updates or patches where possible and reach out to the device’s manufacturer for information if necessary. Restrict personal IoT devices to a separate network (like a guest Wi-Fi), update all default passwords on connected devices, use two-factor authentication and ensure that data generated by IoT devices is encrypted.
When looing for a provider of cyber insurance, don’t settle for just any provider. Interview them, and ensure their knowledge of the product and of your unique exposure is sufficient to ensure you the protection your business requires.