Here we are today, on the longest day of the here. Today starts the summer solstice!! Today, there is supposed to be around 15 hours of solid daylight, which is 6 hours more than the winter days. So, go out there, and enjoy yourselves!! But be careful of course and take the usual COVID19 precautions as required by your local municipalities.
With this start of summer also, businesses are starting to open up yet once again, but there has been uptick in the number of cases being reported. There are rumors of yet another shutdown, but who knows what will happen next.
I also had a few great podcasts this past week, ranging from AI to learning more about the CMMC, to even deploying the Zero Trust Framework. But in all of these podcasts, there was a common thread: The lessons learned so far from COVID19.
There are some key ones as I have mentioned in the past in numerous postings, such as the importance of Business Continuity (BC) Planning, and using the Cloud based platforms of Azure and the AWS in which to mobilize your remote workforce in case the need arises again. But there is yet another aspect which businesses are learning about as well: The need for Cybersecurity Insurance.
Long story short, this is where you can purchase an insurance policy, and if you are hit, well then you can file a claim and expect to get your payout. Cybersecurity Insurance is available through many of the large insurance carriers, such as Nationwide, State Farm, Hiscox, etc. to just name a few.
Many people have likened this to car insurance in that if you have an accident, all you have to do is call your insurance company and take your car somewhere to get it fixed.
But however, with Cybersecurity Insurance, it is not nearly as easy that. There are a number of key reasons for this, amongst some of them are as follows:
*Although the concept of it is not new, the real-world applications is still quite new. Many insurance companies are still coming to grips with how to determine risk profiles not only for their existing policy holders, but also for their new ones that they are trying to onboard as well. One of the main reasons for this is that calculating the level of risk is not easy one.
There are no uniform set of standards that have been adopted, and there is a whole host of both qualitative and quantitative variables that need to be looked and examined.
*The actual policies themselves can be quite complex, and because of that, you may think that you are 100%, totally covered, when in reality, you may not be. For example, you will be compensated for the immediate damages that a Cyberattack brings upon you, but what about the lawsuits, brand damage, free credit reporting services that you will have to offer to your customers, etc.? Those likely will not be covered, unless you have other specific addendums added on to your main policy.
*Unlike car insurance, or even medical insurance, trying to get a good, comprehensive Cybersecurity Insurance Policy means that you have will have to go through a bunch of hurdles. For example, not only do you have to prove that you have an airtight Security and Compliance Policies in place, but you also have to prove that your employees are maintaining good levels of Cyber Hygiene after you have procured your insurance policy and it is in place. You can even still face audits by your carrier after the fact.
But despite all of the above, many SMBs are still forging ahead with plans to buy some sort of Cybersecurity Insurance Policy for their business. This finding has been quantified by a recent market research project that was conducted by an organization known as Cowbell Cyber. Believe it or not, they even used Artificial Intelligence (AI) to come to come up with results of their survey. It is entitled “The Economic Impact of Cyber Insurance”, and it can be downloaded at this link:
In this project, 1,009 companies were surveyed, across a span of 15 different industries. 9/10 of the individuals that responded to the actual survey were members of the C-Suite (most likely the CIO and/or CISO). The timeframe for this study was from November 2019 to January 2020. Here are some of the key findings of it:
*65% of the SMBs polled are planning to either ramp up or purchase brand new Cybersecurity Insurance Policies;
*71% of those SMBs also reported that have Cybersecurity Insurance already in hand claim that their policies are capped at $1,000,000,000.00. But this is not a hard and fast rule, as this cap is heavily dependent upon the industry in which the SMB is in. This is demonstrated in the illustration below:
From the above, one can see that the industries of financial, consumer, technology, and energy/utilities are extremely under covered. This is quite surprising, as these are the sectors that are some of the hardest hit when it comes to the loss of Personal Identifiable Information (PII) and attacks to critical infrastructure.
*There is also a severe gap between the Cybersecurity Insurance Loss Limit and the Expected Loss amongst the life sciences, healthcare, retail/hospitality, and telecom industries. This is also illustrated in the diagram below:
*62% of the SMBs feel that their investment in a Cybersecurity Insurance Policy is a good one;
*For the most part, the businesses polled in this survey only decided to up their coverage limit by only 0.14% (I am assuming that this is due to much higher premiums that have to be paid out);
*55% of the SMBs feel that the biggest risks to their organizations are that of employees using personal devices (also known as “Bring Your Own Device”, or “BYOD”) and the lack of the use of Multifactor Authentication (MFA);
*35% of the SMBs only buy the relevant policies because their customers made them to, and the other 30% of them were required to as a form of recourse to impacted stakeholders, primarily those being customers.
My Thoughts On This
I have got to be honest; this is probably one of the very few times that I have seen a comprehensive analysis like this being done for Cybersecurity Insurance Policies. But after I look at the findings in a little bit more detail, the first troublesome spot I find is that a majority of the SMBs only purchased a policy because they were literally forced to. I would think this would be a necessity right how, without any question.
True, these kinds of insurance policies are not cheap by any means but let us put things in perspective here. The total cost of a Cybersecurity breach and its lingering aftereffects are far, far greater than that of the costs of the monthly premiums. Thus, I would think that this would be a motivating factor in of itself.
Second, it looks like to me that the SMBs are fully aware of the some of the risks that they are facing. If they know it, why do not they do something about it, especially in the way of BYOD. True, just about every business had to deploy their remote workforces rather quickly, and because of the costs associated with deploying company issued devices, many of them let their employees to use their own personal laptops and/or wireless devices.
But as mentioned before, with the advent of Azure and the AWS, you can pretty much virtualize all of these devices, which employees can access safely and securely form anyplace in the world, at any time that they need to.
Third, I was never really aware that there are limits, and this is probably due to my newness in this field of Cybersecurity. IMHO, I do understand for these caps, just like we have them for both medical insurance and car insurance. But there should not be any disparities in this.
In my view, I think all businesses no matter how or how small, or whatever industry that they are in, should have an equal shot at procuring a good Cybersecurity Insurance Policy that meets their needs.
In the end, COVID19 will even further define the role as to how Cybersecurity Insurance Policies will stand out with Corporate America in the near future. As new threat variants emerge from it, the need for policies will be far greater than ever before.
Finally, as a shameless plug in, late last year, I signed a book deal on this very topic. The formal work on the manuscript will not begin until early next year but stay tuned. This book will cover a lot of the concepts of the world of Cybersecurity Insurance that we are now only starting to understand.