Cyber Insurance Planning

It’s nearly 6 a.m. and you lean over to your nightstand to turn off an alarm that’s bound to go off any second. After hitting snooze a couple of times, you can’t risk getting caught up in the next REM cycle. You want to, but there’s too much to do at the office.

You grab your smartphone, adjust the brightness so you don’t blind yourself, then, a notification catches your attention. This alert isn’t normal. 

Are you dreaming? No, you’re not. You quickly realize that the inevitable breach has finally hit your organization. 

But wait! You have cyber liability insurance. Does this mean you can set another alarm and enjoy an additional 30-45 minutes of sleep? Yes? No? Maybe? What does your cyber insurance cover and what kind of impact does it have on your security team? These are all questions you should be able to answer if you either have cyber insurance or if you’re interested in signing up.

Many security practitioners aren’t intimately familiar with cyber liability insurance. Much like your typical car insurance, there are two main areas: first and third party. 

First party insurance is when the insurer pays for something that happens to you. When you harm someone else, that's when third party insurance kicks in. You can buy cyber insurance that covers either. 

Cyber insurance can cover costs associated with communicating with the organization's customers that have been impacted by the data breach, like taking care of credit monitoring fees. But it also goes beyond those simple costs, says Jake Kouns, CISO at Risk Based Security.

“From things like ransomware, regulatory fines and penalties, credit card fines and breaches…a lot of it can be covered and it can really be great for your risk management program,” Kouns said during a video interview with Infosec Insider shot at InfoSec World 2017. “Coverage exists for pretty much all types of data breaches that are out there. It just depends on the policy that you get.”

Many things can be covered, but there are also some that are not. This is where the misconceptions lie, says Kouns.

“While there are situations where the coverage won’t respond for very good reasons, there have been some cases where the product is maturing and they didn’t pay claims,” Kouns said. “Those have been highlighted as the major reason why you shouldn’t get cyber insurance.” 

In this interview with Kouns, he offers up some helpful advice to security professionals on cyber insurance, sheds light on its biggest misconception, and highlights why security pros need to know the ins and outs of their cyber insurance policies.