Cyber Insurance 101
In the "Gone Phishing" podcast episode titled "Cyber Insurance 101," host Connor Swalm and guest Brian Mahon, a certified insurance counselor with experience across various cyber insurance firms, discuss the evolution of cyber insurance policies post-COVID-19, emphasizing the importance of treating cyber risk on par with natural disasters, and explain key concepts such as sublimits in coverage areas like hardware bricking, cyber crime (notably phishing), and betterment, highlighting common misunderstandings and coverage gaps MSP clients should be aware of.
Podcast Introduction
Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals.
Guest Introduction
Today, Connor Swalm is joined by Brian Mahon, a certified insurance counselor who has worked for three different cyber insurance agencies in the last seven years: a startup, a private equity-backed firm, and a privately owned company. Together, they discuss the evolution of cyber insurance policies, especially in response to the COVID-19 pandemic, and how companies now need to view cyber risk as being just as significant as risks associated with floods and hurricanes.
Understanding Cyber Insurance and Sublimits
What is Cyber Insurance?
Cyber insurance is designed for financial loss coverage for users of technology. Any MSP's client would be a candidate for cyber insurance because they're utilizing the services of an MSP. There are many different coverages, but some come up regularly that either aren't in the policy and should be, or are misunderstood due to sublimits.
Common Sublimits:
- Bricking: In insurance, bricking refers to a breach so severe that hardware (servers, laptops, phones, etc.) is rendered useless. Many insurance carriers will sublimit hardware replacement or bricking coverage.
- Cyber Crime: Phishing is often sublimited on a cyber policy to maybe $100,000 or $250,000 of coverage, which can be concerning since these incidents are frequent.
- Betterment: Insurance policies may include sublimits for betterment, which refers to replacing outdated hardware with newer, more expensive equipment. The policy aims to put you in the same place you were before an incident, but sometimes that's not possible if the old hardware is no longer available.
Ransomware and Extortion:
Some carriers are adding sublimits, coinsurance, or higher deductibles for ransomware and extortion. The details of these policies matter greatly, and it's important to review endorsements, changes, sublimits, exclusions, and carve-backs.
The Importance of Expert Guidance
Understanding cyber insurance policies can be complex. It's recommended to consult with an expert, such as an insurance agent or broker who specializes in cyber liability insurance. When filling out applications for cyber insurance, it's important to provide clear, honest representations of the IT controls in place, as these applications become part of the legally binding contract. If a claim is made and the controls were not as stated, the carrier can deny the claim.
Real-World Impacts of Policy Details
There have been cases where companies had claims denied because they did not have the proper security awareness training in place, as stipulated in their policy. Supplements and sublimits can have a significant impact, especially for small business owners.
Evolution of Cyber Insurance Policies
Cyber insurance policies have evolved from being simple (8-9 pages) to much more detailed (30-50 pages), asking about specific IT controls, security awareness training, and more. The COVID-19 pandemic accelerated this evolution, as remote work increased vulnerabilities and led to higher losses for insurance carriers. As a result, carriers have increased underwriting requirements and premiums.
Data-Driven Risk Assessment
Cyber insurance is now catching up to other insurance industries by using data to properly transfer risk. Carriers are starting to use predictive analytics and claims data to model potential catastrophic cyber risks, similar to how flood or property insurance is assessed.
Key Takeaway
Cyber insurance is maturing and becoming more accurate in assessing and transferring risk. The days of rapid premium increases and last-minute IT control updates are fading, and the marketplace is stabilizing as IT controls become standard.
Contact Information
If you have questions about cyber insurance or are looking for a policy, you can reach out to Brian Mahon. His information is available in the show notes.
Closing
Thanks for tuning in to Gone Phishing. For more information about high-quality security awareness training campaigns and how to launch them effectively, visit phinsec.io or check the show notes for more links.
Thanks for phishing with us today and we'll see you next time.