Mitigate Data Risk with Cyber Insurance

Cyber insurance coverage is meant to offset expenses incurred during a data breach or cybersecurity event. These policies should provide coverage for both first and third-party claimants. First-party coverage includes losses to the organization or individual affected, while third-party coverage addresses legal action taken by customers or partners. These policies can vary in terms of coverage and premiums but typically account for organization type, service provided, data risk and exposure, and current security policy. Cyber insurance can help recoup costs associated with:

  • Recovering compromised data

  • Legal settlements and regulatory fines

  • Hiring experts to identify and repair damage

  • Notifying customers, and providing identity and credit monitoring

  • Business interruption, network downtime, and lost employee productivity 

Cyber insurance can be a great option for companies that are looking to improve their resilience. That said, as ransomware attacks increase and compliance frameworks become more strict, many companies are being refused coverage for failing to meet security standards. Many insurance companies do not pay claims if the covered party fails to maintain a secure environment through a lack of documentation or controls. If your business is looking to pursue cyber insurance, you should work closely with your IT team to meet provider standards.

A great cyber insurance provider will have an intimate knowledge of compliance requirements, remediation tactics, coverage plans, and considerations that are unique to your industry. Here are five things to look for when choosing your cyber insurance provider:

  1. Products and Coverage - understand what 1st and 3rd party losses are included in your coverage, such as: breaches, ransomware, cyber-crime, and risk analysis tools.

  2. Pre-Breach Services - your company should have timely and appropriate analysis of your cyber risk in financial terms. 

  3. Breach Response Services - know what to do after a breach, such as PCI re-certification services, notification expenses, foreign notification, PR expenses, overtime compensation, reputational harm, etc.

  4. Distribution - you need an insurance provider that can work directly with your MSP and IT teams.

  5. Cyber Tools - solutions such as threat monitoring, DDoS mitigation, credential monitoring, and patch management go a long way in improving your overall cyber posture.

Cyber Security Insurance

Compliance Roadmap

Identify Risk

Compliance starts with visibility. Conduct a 360° Security or Compliance Benchmark assessment.

Incorporate a Framework

Classify data according to the most relevant and restrictive compliance frameworks. Customize controls to meet organization-specific requirements.

Enforce Policies

Maintain data protection and retention policies, monitor user access, and field suspicious activity. 

Top Regulatory Compliance Frameworks

Top Regulatory Compliance Frameworks

  • GDPR

    The EU General Data Protection Regulation (GDPR) is effective as of May 25, 2018. It affects all organizations that hold personal data on EU citizens, regardless of where the organization is based in the world. Implementing a data protection strategy that includes encryption and anti-malware security is vital.

    General Data Protection Regulation
  • HIPAA

    The Health Insurance Portability and Accountability Act (HIPAA) applies to any organization that collects, stores or shares protected health info (PHI), including health plans, healthcare clearinghouses, and providers who conduct financial and administrative transactions electronically, like hospitals.

    Health Insurance Portability and Accountability Act
  • CIS

    The CIS Critical Security Controls provide a catalog of prioritized guidelines and steps for resilient cyber defense and information security mitigation approaches. This gives organizations an organized security action plan to stay compliant with major industry regulations like HIPAA, PCI DSS, and more.

    CIS Critical Security Controls
  • NIST

    The National Institute of Standards and Technology Cybersecurity (NIST) framework consists of standards and best practices to manage cyber risk. It was developed with a focus on industries vital to national and economic security, including energy, banking, communications, and the defense industrial base.

    National Institute of Standards and Technology Cybersecurity
  • MITRE ATT&CK

    The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework models cyber adversary behavior, attack lifecycles, and commonly targeted platforms. MITRE provides strategies across disciplines including intrusion detection, threat hunting, security engineering, risk management, etc.

    MITRE ATT&CK
  • PCI DSS

    The Payment Card Industry Data Security Standard (PCI DSS) is a set of twelve security standards to ensure all companies and vendors that accept, process, store, or transmit credit card and financial information secure it to protect cardholders against misuse of their personal information (PII).

    Payment Card Industry Data Security Standard
  • SOX

    The Sarbanes-Oxley Act of 2002, aka the Public Company Accounting Reform and Investor Protection Act, responded to a number of major corporate and accounting scandals. All publicly-traded companies are required to comply, and a number of the Act’s provisions apply to privately held companies.

    Sarbanes-Oxley Act
  • ISO/IEC 27001

    ISO 27001 is an international standard published by the International Standardization Organization (ISO). It provides methodology for business information security management. The focus of ISO 27001 is to protect the confidentiality, integrity, and availability of a company’s information.

    ISO/IEC 27001