Stridium Cybersecurity Advisors talk due diligence for small businesses looking to protect themselves from a data breach.
Insurance companies are in the business of selling peace of mind concerning bad things that can happen to people. One of those bad things, if you are a small business owner, is a data breach. While cyber liability insurance can be a valuable part of a small businesses information security strategy, it should never be the only part of that strategy.
Though first appearing in the 1980s, a number of insurance companies started offering cyber liability insurance policies over the past decade to cover financial losses that result from data breaches and other cyber events. Many of these policies include both first-party and third-party coverages. First-party coverages apply to losses sustained by your company directly, while third-party coverages apply to claims against your firm by people who have been injured as a result of your actions or failure to act (e.g. a client suing you for negligence after his personal data is stolen from your computer system and released online).
While these policies allow you to transfer some of your liability, a substantial amount of risk still remains making this insurance inadequate to protect you without other measures in place. Here are some of the issues you need to consider:
- Insurance doesn’t do anything to actually protect your data
While the purpose of your policy is to protect your business, you still need to protect the systems and data upon which your business relies. Most policies will require you to answer a questionnaire designed to gauge what measures are in place to protect your company’s systems and data. This helps establish what the insurance industry refers to as the “Duty of Care.” The Duty of Care Risk Analysis Standard (DoCRA) provides practices and principles to help balance compliance, security, and business objectives when developing security controls. Depending on your answers, you may be denied coverage or required to pay an additional premium. Your data still needs to be adequately protected whether you have cyber insurance or not.
- Many policies have significant restrictions
Most insurance relies upon an analysis of sound actuarial data against a largely static background of risk, which (for the most part) does not exist when it comes to newer risks like cyber-crime. Because of this, the industry has responded with a large number of standard exclusions which can result in an insurer withholding payment in case of a data breach. You need to read the fine print of any cyber insurance policy very carefully to know what will and will not be covered in case of a claim.
- Cyber insurance will most likely only help you the first time
Even if you’re covered by cyber insurance, once you file a claim you’ll probably be looking at a significant rate hike or even possibly cancellation of your coverage if the insurance provider determines you to be too high an insurance risk.
Before considering cyber liability insurance, a small business owner should consider whether adequate controls are in place to protect the systems and information upon which the business relies. Here are some steps that will help you accomplish that:
- Perform a risk assessment
Compare your organization’s information security controls with those specified in an information security standard. These standards, such as the NIST Cyber Security Framework (CSF), specify controls to protect systems and information from those with malicious intent. Alternatively, if your business has a heavy reliance on credit card transactions, you may want to assess your business against the controls specified in the PCI-DSS (Payment Card Industry – Data Security Standard), which credit card merchants agree to uphold as part of their contract with the payment card providers. An outside cybersecurity firm can help you perform these types of risk assessment.
- Implement missing cybersecurity controls
Where your risk assessment highlights gaps between your controls and those specified in your chosen information security standard, you’ll need to determine if the identified risk warrants the implementation of additional controls. These can be technical controls (e.g. implementing firewall technology) or process controls (e.g. performing background checks when hiring). A third-party cyber security firm can recommend and implement adequate security measures using on-demand resourcing; help you manage your cyber security program and be available to help answer any security-related requests from clients, regulators or business partners who want to know how you protect information they may share with you.
Small businesses that provide due diligence in protecting their mission-critical systems and information will benefit from increased peace-of-mind concerning their data breach risk, whether they decide to purchase cyber liability insurance or not.