7 “Must Haves” For Cyber Liability Insurance in 2024

Cyber Liability Insurance: The Shifting Landscape 

When a company gets hit with a successful cyberattack, they face costs related to restoring their business, rebuilding their reputation, possibly paying regulatory fines, and perhaps paying ransoms. Plus, they (belatedly) start to invest in more stringent cybersecurity defenses.

Since cyber liability insurance was relatively easy to get, insurance companies had massive payouts over the last few years. This has led to rising premiums, higher deductibles, lower limits, and more stringent criteria for qualification in the first place. Today, good coverage is hard to come by and expensive when you can get it.    

A business leader can’t call a broker and buy a cyber policy on a whim. 

Consider this situation. A small business is hit with a ransomware attack. First, one of their employees was tricked into clicking a malicious link in an email. This infected the employee’s computer with a backdoor so the attacker could gain access.

Once a foothold was established, the attacker found sensitive company data and encrypted it with a key that only they had. Then they sent an email to the company demanding $100,000 to decrypt the data. At that point, the company was frozen – they had lost access to critical information they needed to conduct business.

Fortunately, their insurance company paid the ransom, provided them with legal support, brought in some cybersecurity experts to protect things, and got the business back online. Can you imagine the pain of paying out a 6-figure ransom and trying to navigate the legal and reputational issues on your own?

7 Things Companies Must Have for Cyber Liability Coverage

The good news is that the same things you need to do to make your business less vulnerable to cybercrime will also help you qualify for cyber liability insurance and may even lower your premiums. So, without further ado, here are seven must-haves for your business.  

1. Security Policies  

Security policies form the backbone of a security program. These define the “what” of your security culture. They should align with your company’s business and security objectives and any regulatory policies your organization needs to comply with.

The challenge most companies run into is that these policies are typically written for a technical audience and with auditors in mind, which means they use a lot of industry jargon that can be difficult for a cybersecurity novice to understand.

While generative AI platforms like ChatGPT can generate something vaguely resembling a security policy, these are often missing key components that insurance providers will expect. Therefore, we recommend that you hire a virtual Chief Information Security Officer or find reliable security policy templates online. 

2. Multi-Factor Authentication (MFA)  

MFA is probably the single best defense you have in preventing one of your user’s accounts from being compromised.

Let’s say you have a user click on a malicious link that takes them to a spoofed login page for some service. Your user enters their username and password into the fake website. Instead of getting logged in to the real system, your user has just given their credentials to an attacker. Now, the attacker tries to access your user’s account on the real site.

Without other authentication factors, the attacker is in and can act with the same privileges that your user has. They can also read and respond to your employee’s email. If you enforce MFA, however, when the attacker tries to login and gets the prompt for the second factor they’ll be blocked from access. In fact, Google found that even the most basic forms of 2FA – such as sending a confirmation text message with a 6 digit code – can prevent 100% of automated attacks, 96% of bulk phishing attacks, and 76% of targeted attacks.

More sophisticated MFA approaches like authenticator apps and WebAuthn (Hardware security tokens) perform even better.  

3. Regular Backups & Offsite Redundancy  

We highlighted a story of a company that was hit by a ransomware attack earlier in this article. The reality is that that they could have avoided paying the ransom entirely if they had good backups of their critical data.

There are plenty of backup services available that will take regular snapshots of your data to ensure even if your primary version is encrypted, you can still get your business back online. You will also want to make sure to keep secure copies of these backups in a separate facility or data center.

We had one company that was diligent about taking database backups, but only stored them in the same datacenter as their primary database. When the datacenter went down, it took both the primary database and all their backups with it.

Pro Tip: The National Cybersecurity Center of Excellence (NCCOE) also recommends regularly testing your backups to ensure they are viable.  

4. Data Encryption 

In security circles, you’ll hear about data being encrypted “at rest” and “in transit.”But what do these terms mean?

Encryption is a mechanism for securing data, typically using some form of digital key. Both the sender and the recipient have copies of the key so they can lock and unlock the data and read the contents. However, an attacker wouldn’t have this key, and therefore is unable to read the data.

“At rest” refers to where you store the data. So, when data is encrypted at rest, that means that wherever it is stored – on your laptop, in the cloud, or in your data center – it is stored using a lock and key.

“In transit” refers to how the data is moved around. The most common example you may not even notice is in your browser using HTTPS. In most browsers, you’ll now see “Not Secure” next to the URL when the site you’re visiting doesn’t use encryption.

For an example of an insecure website, you can check out http://httpforever.com/ which was expressly built to NOT use HTTPS.  

5. Updated Network & Systems 

One way attackers find success is by exploiting vulnerabilities in the systems you use. Once an attacker finds one of these vulnerabilities, they quickly write code to look for companies who are still using the vulnerable version. 

Some of these vulnerabilities are widely publicized, like the log4j vulnerability that was discovered in 2021.

However, many of these are more quietly fixed by the software vendors. Because of this, it is important to regularly update your network and systems to ensure that you take advantage of the security improvements your vendors provide.

When systems aren’t patched in a timely manner it exposes organizations to critical risks. One of the most famous breaches due to a lack of patching was the Equifax breach in 2017. 

Having clear guidance in your security policies and adhering to those schedules is a good way to show insurance companies how seriously you take protecting your systems.  

6. Security Awareness Training 

Do your users know:  

• How to spot a potentially malicious email?  
• How to avoid the dangers of coffee shop Wi-Fi?  
• What their regulatory obligations are for protecting data?  

If you answered no to any of these questions, you need to invest in security awareness training for your employees. A 2018 investigation showed that 93% of breaches were caused by some form of social engineering. This means that the first line of defense for your organization is your staff – better training correlates strongly with improved security. 

7. Incident Response Planning  

When all else fails and something goes wrong, how do you respond? Who do you call? This is a scenario we all hope to never be in, but the reality is that in business, as in life, stuff happens.

A good Incident Response Plan outlines how your company will respond to a crisis – who is involved? How do you react? When do you communicate? It should include a list of internal and external stakeholders to make sure you get the right people in the room at the right time.

And, while having a plan is good, testing that plan is better. Just like you wouldn’t want a firefighter to respond to a house fire without preparation and training, you don’t want your incident response team trying to read the plan for the first time while responding to a cyberattack.   

Other Risk Management Considerations 

In the realm of cyber liability and cybersecurity, businesses should consider several layers of defense to fortify their digital assets. Let’s delve into essential cybersecurity practices. 

Single Sign On (SSO) 

Implementing SSO for your organization provides a great way to simplify your users’ lives while also making your company more secure. The more tools you have implemented SSO into, the fewer times your users will need to login and the fewer passwords they will need to remember. This makes things flow smoother for them during the day.

At the same time, you can take advantage of a single source of truth for your user accounts and focus your security efforts on a smaller target. Plus, if a user leaves the organization, you can effectively revoke access to most services from a single location.   

Password Managers 

One of the side effects of things getting more secure is that most systems now enforce strict password complexity. You’ve probably seen this before – your password must be at least 12 characters, contain uppercase, lowercase, numerical, and special characters.

Having passwords that meet these criteria but are still memorable to humans means we end up creating passwords like P@s$worD123! Not surprisingly, attackers have written some very simple “password crackers” that can easily guess these types of passwords, meaning we’re still no more secure than before.

Enter password managers.

These tools auto-generate passwords that are hard for humans to remember and hard for machines to guess. But, since the password manager remembers your password for you, you don’t have to worry that it’s hard to remember.   

Risk Management Program 

Early on in a company’s life, managing risk is relatively straightforward – if we don’t do X, then the business will fail. Over time, as your customer base grows and your company grows up, a more comprehensive approach to risk is required.

As with any other form of insurance, if you can demonstrate to your insurer that you’re a lower risk option than the general population, you’ll be more likely to get better coverage at lower rates. One way to demonstrate your commitment to lowering risk is through a formal risk management program.  

Directors and Officers Insurance 

Shareholders, competitors, investors, etc., can sue a company’s directors and officers, putting their personal assets at stake. Directors and Officers (D&O) insurance protects these assets from lawsuits alleging leaders of wrongful acts managing the business. 

Errors and Omissions Insurance 

Errors and omissions insurance, also known as E&O or professional liability, covers companies in third-party or client lawsuits claiming inadequate work or service. Individuals in the professional services industry lean on this coverage heavily, such as real estate agents, attorneys, and medical professionals, to name a few. And for good reasons: human errors or oversights, missed deadlines, budget overruns, incorrect advice, etc., often result in costly cases — but E&O insurance responds to these mishaps. 

Have you been feeling increased pressure to protect your company’s cyber world? We know that the hardest part of your cybersecurity journey is taking the first step. Consider teaming up with a trusted partner for a free cybersecurity consultation to get started on your security program without breaking the bank.