Just because you have home insurance it does not mean you should stop locking your front door.
Equally travel insurance does not give you free rein to leave your valuables scattered around the hotel pool. All insurance policies expect the holder to take reasonable care to reduce risk – indeed not doing so can often invalidate the policy – and cyber liability insurance is no different.
Businesses are seeing an increase in cyber threats with attacks rising by 164% in 2017 compared with 2016. Skilful hackers armed with a broadening array of advanced persistent threat (APT) tools are increasing the severity of cyber security breaches. In response, the use of cyber liability insurance as a safety net and risk transfer mechanism is growing, with annual gross premiums expected to reach $7.5 billion by 2020.
However, business employees are failing to act with ‘reasonable care’, often due to a lack of understanding of cyber security and may be unwittingly invalidating their employer’s policy. Let us explore how this might manifest within the workplace and outline the measures businesses can take to mitigate the risk.
Poor understanding of data practices
Data is now an essential ingredient to ensure business success, but it is also a valuable commodity for cyber criminals. All too often, organizations lose sight of the data they collect, what it is used for, or how it is stored and shared. Given Privacy Shield has recently come into force and the EU’s General Data Protection Regulation is due to be implemented in May, the data landscape is starting to evolve.
Employees need to effectively communicate the information they are collecting and using –names, addresses, and financial information for instance – to the CISO, as well as detailing how that data is subsequently shared. In doing so, the CISO can ensure this activity falls within the perimeters of an insurance policy. Employees also need to inform the CISO if they are automating or digitalizing processes, as this could bring increased cyber security risks which will need to be evaluated by the insurer.
Finally, staff should pay attention to where the data are stored, as an insurance policy protecting storage on business servers is worthless if the data are actually stored in the cloud. In addition to checking the Service Level Agreement with a cloud provider, it can also be worth taking out cloud-specific policies from an insurer.
Use of mobile devices and BYOD
As the workforce becomes more digitalized, the use of mobile devices – such as smartphones, tablets, and laptops – accessing business networks is becoming commonplace. These devices could belong to the business itself – for example, water and electrical companies use mobile devices to enable remote monitoring – or could be employees’ personal devices.
Remote devices might not be protected to the same degree as central company network and could offer an easier route of entry to potential hackers. Mobile apps that are used to control internet-connected monitoring systems were recently discovered to contain significant security weaknesses that, if exploited, could allow attackers to damage critical infrastructure.
CISOs and business employees need to understand to what extent their cyber insurance policies cover mobile devices – both business and personal – and how they must be used to ensure cover is not nullified.
Unauthorised ransom payments
Extortion-based cybercrime is on the rise, with ransomware payments hitting a record $2 billion last year as companies paid up to recover locked or stolen data. While some cyber liability insurance policies do cover the cost of such payments, it is often limited. For example, insurers are expected to pay Merck & Co $275 million following an attack by the NotPetya ransomware, when they were only covered for a fraction of that cost.
Most insurance companies have specific terms regarding extortion, for instance they require immediate notification of threats or ransom demands so they can authorise payment, or they will only cover payments made in certain cryptocurrencies.
Amidst the panic of a ransomware-style attack, employees understandably want to act quickly and make the payment, especially if they think their insurance will cover it, but incidents must always be reported to the CISO and insurer first. In some cases, paying a ransom can entirely invalidate a cyber insurance policy, meaning the business will not be compensated for associated costs.
Preventing insurance invalidation
While employee education is an important element in maintaining the validity of cyber liability insurance, internal policies and procedures – aligned with the term of the policy – must be carefully communicated to all. Any amendments made to the policy, and the consequent impact on day-to-day activities, should also be clearly explained.
Education, on its own, is not enough. According to Bruce Hallas, founder of the Analogies Project, “The assumption we make is that if we give people information, if we educate people on their roles and responsibilities, people will process that information in a logical way. This isn’t the case….in the heat of the moment, in a situation they are not familiar with, they will make an irrational choice even though they know they should be complying [with policies and procedures].”
In addition to the provision of adequate training, businesses must balance the transfer of risk via insurance with improvement in internal security measures and systems. Given constant connectivity, device multiplicity, and increasingly edgeless networks, old-style firewall-based systems are a thing of the past and detection-based cyber security solutions are the way forward.
CISOs should work alongside their insurer to find out which products they recommend, as they have a wealth of cyber security expertise, and businesses that implement recommended solutions may well benefit from policy cost reductions. For instance, using a platform that provides a single point of access to all possible threats could be linked to the insurance policy as a tech add-on to ensure compliance.
Cyber liability insurance is increasingly important to businesses in a world where cyberattacks can disrupt operations and incur enormous costs. To prevent unintentional invalidation of their policies, businesses must educate employees on issues such as data processing, remote device usage and ransom payments, as well as balancing risk transfer with up-to-date security measures.
This article is published as part of the IDG Contributor Network. Want to Join?