It is becoming standard practice for organizations to carry a cyber insurance policy to mitigate the cost of the growing number of cyber hacks taking place every day. Face it, no matter how much you do to prevent someone “getting in” to your data or information, it is going to happen, just a matter of when. Most risk managers within organizations go out and purchase a cyber security policy, but often IT is left in the dark on the matter. The job of the risk managers is to minimize the impact to the bottom line, by reducing, eliminating or transferring risks.
Rates, coverage types, premiums are all negotiated but often little discussion takes place with the CIO, CSO, helpdesk and network support team leads, department leaders or procurement leaders. Most of you are saying “hmmm…I understand involving the CSO but why the CIO, support teams or procurement groups?” The answer is simple, this is where the loopholes to insurers avoiding paying claims is uncovered. Claim payouts can be reduced by as much as 60% or more by poking holes in these areas when an incident occurs. During the month of August we will look at the areas that need to be tightened up in these groups to ensure maximum payout from the Insurance company, when a claim occurs.
Lets first take a look at one of the most obvious areas that gets overlooked: staff augmentation providers and cloud-based or managed service partners that have access or store information, either onsite or remote to applications with critical data. The contracts often require the vendor carries general liability, professional errors & omissions, worker’s compensation and auto insurance. Cyber insurance is relatively new and procurement or department leaders that negotiate and sign these contracts don’t understand the implications associated with gaps in coverage if a valiant effort is not made to transfer that liability. If you can’t transfer it then cyber insurance needs to be extended on your policy to third parties which can get quite expensive.
The ease of cloud based service providers such SaaS, IaaS and PaaS make it easy to spin up new cyber risks and put the organization in a situation that jeopardizes the financial bottom-line. Cyber policies that risk managers obtain needs thorough review by the CIO and CSO in the organization to clearly identify gaps that may need to be addressed in policy, hardware or software policies. Then “awareness” training needs to be pushed to the organization at all levels to ensure a clear understanding of what may put the organization at financial risk if it is compromised. This applies to contract terms, insurance coverage exceptions, employee security awareness training, as well as vendor/contractor access to the network and applications.
If you are interested in reviewing your practices to see where you are at risk, give us a call. We can help you identify and address gaps in coverage that can increase your financial liability.