Don’t let cyber insurance distract you from your IT strategy
- By Rachel Eckert
- Mar 27, 2020
Government IT professionals considering taking on cyber insurance to protect their agencies from internet-based risks may be taking the easy way out -- at the expense of a better strategic cybersecurity posture to prevent attacks.
Rather than spend money on insurance, they should reallocate the funding that would have been spent on a policy and use it to make critical updates and future upgrades.
A growing problem with no signs of abating
In the state, local and education marketplace (and in fact nearly everywhere else), ransomware attacks show no sign of slowing down. According to a report from Emisoft, there were more than 113 ransomware attacks on state and local government and 89 attacks on K-12 school districts and universities in 2019. Cyber analysis and media firm Cybersecurity Ventures predicted that ransomware attacks will cost as much as $6 trillion by 2021.
Laws are on the books in 48 states regarding how breach notifications should be handled, and many states are developing legislation to criminalize ransomware. More than 300 separate bills have been introduced across 43 states, with 31 states enacting legislation on cybersecurity and five states criminalizing ransomware.
With no signs yet of abating, ransomware has spawned cyber insurance, which has gained some notoriety and interest. But what buyers are promised and what they receive may be two different things.
Understanding the pros and cons of cyber insurance
There are two types of cyber insurance coverage, “first-party” and “third-party.” According to one provider, the distinction is that first-party insurance covers a company’s own damages from cyber losses. Third-party coverage, on the other hand, is like general liability insurance. It covers legal expenses that result from a firm being blamed for causing another party’s cyber losses.
Among the expenses that may be covered by cyber insurance are the costs of notifying clients, engaging credit monitoring services and rolling out public relations campaigns as well as lost revenue due to the breach. Ransom, attorney fees and defense before regulatory/legislative bodies may also be covered, but policies and coverages differ.
This all seems like a very prudent and responsible course of action for agencies facing accelerating internet-related criminal attacks. Unfortunately for policy holders, cyber insurance can come with loopholes and gaps that may result in claims not being paid.
In fact, payments can be denied for any number of reasons -- many difficult to follow. In one high-profile case from private industry, Mondelez International sued Zurich Insurance for “failing to meet claims after the NotPetya attack” when it said the NotPetya attack fell under the “war exclusion” of its policy. It cost $100 million for Mondelez to recover after replacing laptops and tallying lost orders. As it turns out and was widely reported, many insurers were provided a justification for denying coverage under the “war exclusion” clause when the NotPetya attack was attributed to Russia.
While many insurance companies sell cyber coverage, the policies are often written narrowly to cover costs related to the loss of customer data and helping a company provide credit checks or cover legal bills.
This is not to say that cyber insurance is bad or not worth the money. It is a reasonable business decision to make. But agencies still need a sound IT strategy that can help them reduce the chances of having to use the insurance in the first place.
Even in the best case, cyber insurance companies may end up paying a ransom, because that less expensive than doing a full forensic recovery. That approach to cybersecurity does nothing to decrease the number of ransomware attacks. Worse, it may just encourage more attacks because of the positive economic outcome for the attacker.
Cyber insurance can be a great addition to an agency’s cybersecurity toolbox, but it is only one piece of a good strategy. Other important features of a sound strategy include plans for continuity of operations, disaster recovery and active patching.
Here are four key steps that should be built into any cyber strategy:
- Mitigate the gaps: Patch systems, back up data and bolster access credentials.
- Become more predictive: Investigate forensic detection technologies and utilize automated threat detection.
- Increase awareness: Train both IT and non-IT employees in good security practices.
- Plan strategically: Develop and keep incident response plans updated, develop crisis communications plans and increase awareness among legislative bodies about the importance of maintaining funding.
There is definitely a business case to be made for cyber insurance. Be careful, however, not to let complacency set in. For agencies forced to choose between spending money on cyber insurance or an improved IT cyber strategy, the answer is clear. A sound cyber strategy should be their first priority and is the best way to minimize risk in these times of proliferating ransomware attacks.
Rachel Eckert is a state and local government and education (SLED) market intelligence manager with immixGroup, an Arrow Electronics company. Reach out to Rachel on Linked In.