As the threat landscape evolves, an increasing number of businesses are turning to cyber liability insurance as a way to help mitigate risk. If you are considering cyber liability insurance for your organization, there are a few things that are important to understand about these types of policies and their requirements.
Like other types of insurance, cyber liability insurance is a mechanism to share the risk of doing business with other organizations. After you have taken prudent steps to minimize risk, insurance can reduce residual risk and potential losses. For example, property insurance allows organizations to hedge against losses associated with fire, theft, flood, and other risks.
Cyber liability insurance, conversely, is typically designed to help organizations hedge against losses due to noncriminal incidents such as staff mistakes, mishandling of records, and improper information disclosure, as well as cybercrime such as malware, hacking, phishing, DDoS attacks, business email compromise, extortion, ransomware, and banking fraud.
Cyber liability insurance may also provide protections for data restoration, intellectual property loss, regulatory defense expenses, fines, and penalties. (Though, the final legal responsibility for protecting data, when it comes to PII, ultimately falls on the organization itself under most privacy legislation.) Business leaders need to consider each of these risks and many more and then devise a strategy.
Cyber risk strategies
To minimize the residual cyber risk associated with business activities, organizations can:
- Avoid the risk altogether by choosing an alternate way of doing business that eliminates the cause of the risk
- Assign as much risk as allowed by law to a service provider by outsourcing the activity, though doing so may introduce new risks that should also be considered
- Reduce the risk by implementing countermeasures and security controls that can mitigate exposure
- Purchase cyber liability insurance to transfer specific risks to an insurance carrier
- Accept the residual risk and plan to tolerate potential losses
Cyber insurance carriers assume you have an existing security program
In some ways, cyber liability insurance is a lot like property insurance. With property insurance, a carrier may want to know what countermeasures you have put in place, like fire extinguishers, smoke and burglar alarms, surveillance and fire suppression systems, monitoring services, or 24×7 security guard services, before insuring you against fire and theft.
With cyber liability insurance, a carrier will attempt to ensure due care by asking about your approach to identity management, access control, data classification/encryption/backup, email security, security awareness training, vulnerability management, network and endpoint security, as well as network visibility, incident response, compliance frameworks, industry standards, and even procurement.
Cyber insurance requirements guide
Some carriers’ questionnaires to apply for cyber liability insurance are just two pages, while others may be 10 or more. Many questions relate specifically to your policies and procedures to ensure you have a mature security program. Others want to know about specific technical capabilities and limitations associated with your security technologies.
To help you get started, Barracuda has created a list of common questions and attestations present in cyber liability insurance applications and how you can leverage Barracuda to respond to those questions. With Barracuda’s cyber insurance requirements guide, you can better plan for your insurance needs and ensure you have the right cybersecurity solutions to secure the best and most cost-effective insurance policy for your business.