Integrate Cyber-Insurance into Your Cybersecurity Incident Response PlansIt is too late to buy insurance after a Category 5 hurricane; the same is true after a cyberattack By: Neal McCarthy
Cyber-insurance has become a necessity for organizations. According to Ponemon Institute’s “2016 Cost of Data Breach Study: Global Analysis,” the average cost of data breaches included in the analysis was $4 million. Without cyber-insurance, that is a hefty bill to pay. The news can be even worse if an organization suffers a business-extinction-level event where the cost of dealing with the breach is so high its forces the company out of business.
The prospect of that type of Category 5 cybersecurity storm makes it vital to ensure your cyber-insurance policy is integrated into your cybersecurity incident response plan (CIRP). That begins by involving your organization’s insurance manager in discussions about your response plan as well as its testing. When it comes to insurance policies, the devil is in the details, and reading the fine print may reveal criteria that impact the development and efficacy of your plan. For example, some insurance policies have a prescribed list of vendors that organizations must use during the response. Others have requirements that mandate the organization follow certain industry best practices. Failing to meet these requirements could result in your organization not being reimbursed for its expenses.
When a breach occurs, the insurance manager should be the one doing the hand-holding with insurance provider. After all, the other members of the incident response team will have enough on their hands. While other members of the team liaise with law enforcement, media, customers, and vendors, the insurance manager can answer questions from the insurance company and make sure they are notified of what is happening. Remember – the insurance company is not simply going to write your organization a check, they are going to have questions and requirements of their own that need to be met.
A common element of cyber-insurance plans are notification requirements in the event of a security incident. In some cases, insurance companies will not reimburse organizations for money they spend on a breach prior to notifying them of the incident. Even then, the definition of what qualifies as a covered security incident can vary from policy to policy, making it even more important that the insurance manager understands the various requirements imposed by the insurance company and makes sure the organization follows through.
Business-level-extinction events may be few and far between, but it only takes one to bring down your business. Having cyber-insurance is not enough. It is crucial for your organization to understand the policies and weave any requirements into your CIRP.