It’s hard to believe now that we will be approaching the last full week of October.  Where has this year gone?  It has flown by.  At this point in time, many of those in Corporate America are now starting to wind down business activities and trying to meet end of year budgets in last push. 

As far the as the Cybersecurity front is concerned, well, this never slows down, or even sleeps.  All of us in this industry, including us writers, are always trying to stay on top of the latest trends.

But, as mentioned, as the year now is going to come to an eventual end here, many experts are trying to predict what 2020 will hold.  Of course, nobody can say for sure, but it is quite likely that the existing Cyberthreats will still be out there, but just new variants of them. 

As I have also described in the past, one of the biggest fears is on the attack to Critical Infrastructures.

If this were to be hacked into, it would take a long time to recover.  We are not talking days; it would be weeks and perhaps even months.  Probably some of the prime examples have been the recent attacks that took place in Texas, and most notably that of Baltimore, which made all of the major headlines. 

In response to all of this, there will also be a new trend that will emerge – that of Cybersecurity Insurance.

Because of what it all has been through, the City of Baltimore will has purchased a sweeping, brand new $20 million policy in order to protected not only its assets, but the people whom have been impacted by it as well, which includes mostly the city workers.  According to news reports, the Baltimore Board of Education just approved of this last week and gave the go ahead.

It is highly anticipated that this plan will include coverage for the following:

*Expenses that incurred for Incident Response expenses;

*Any sort of downtime that has occurred because of recovering stolen information and data;

*Implementing stronger Network Security Protocols in the city’s IT Infrastructure.

When the city was attacked, it suffered over $18 million in damages alone.  This included the disruption of the city’s Email system, temporarily shutting down payment systems such as those related to water usage billing and even real estate transactions. In response, the Cyberattacker(s) demanded $76,00o to be paid in Bitcoin.

But the city never paid up (which is a very good thing), and thus, this further delayed in the complete restoration of fully functionable government services.  It is expected that this Cybersecurity insurance policy that has just been acquired will be kept for the upcoming years by the city.

My Thoughts On This

As the threat landscape will keep getting more covert and sophisticated in 2020, many of businesses, not matter how large or how small, or even what type of industry they serve, will find the acquisition of Cybersecurity Insurance to be a comforting fact. 

After all, if they get hit, they just file a claim and they will get the reimbursements?  In some cases, this will happen, but not in most.

In all honest, the Cybersecurity Insurance industry is just about as messed (if not more) and complicated as the healthcare insurance industry.  Let me illustrate this with a real example.  About seven years ago, I was hit with a massive heart attack, and required extensive open-heart surgery.  I had a good medical insurance plan and thought I would be covered all the way.  But this did not happen.

When the first bills came started to come through, I was shocked.  My heart surgeon’s bill was $6,000, and my insurance only covered half of that.  After refiling numerous times, in the end, I had to cough up that money.  This example is directly analogous to that, say of the SMB that has just protected a Cybersecurity Insurance Policy. 

Just because you have it, don’t get lax in your security approaches, because if you are hit, the nightmare of not getting paid for all of your damages will start, and the headaches of trying to fight with your insurance carrier will only get worse – just as in the case of my open heart surgery.  But you may be asking why is the case?  Well, here are some key reasons for this:

*Although Cybersecurity Insurance has been around for many years, its popularity and demand has just started to grow.  Because of that, there are still a lot of uncertainties and ambiguities that need to be answered – that is why I say it is even more messed up than healthcare insurance.

*The insurance carriers that are carrying these kinds of policies are just the major ones – such as Hiscox, Nationwide, State Farm, etc.  What they offer may not be necessarily the best for your own businesses’ circumstances.

*When evaluating the application of a potential policy holder, the major insurance carriers don’t use really any sort of quantitative risk measure per se.  Rather they look at each applicant on a case by case basis, carefully scrutinizing all of the security practices that they have been in place.  For example, is there a Security Policy in place?  How about a Disaster Recovery Plan?  Are these rehearsed on a regular schedule?  What kinds of safeguards have been implemented to protect the Personal Identifiable Information (PII) of both customers and employees?  Has the applicant been impacted by a Cyberattack before?  If so, how quickly were they able to recover and notify affected parties (such as those of customers)? And so on.  So, the bottom line is that when you think you will get a policy, you may not get one in the end because your business has gone astray in the past on any of the above-mentioned factors (and others as well).  Thus, the Cybersecurity Insurance carriers have recently been accused on a large scale for being discriminatory and not treating all of the policy applicants in the same regard.

*Depending upon how large your business is, you could be paying an exorbitant amount in monthly premiums but not a get a much higher return when you indeed file a claim.  Again, it is just like the healthcare industry-you may pay a lot into the system but get only pennies on the dollar back in return.

*The Cybersecurity Threat Landscape is constantly changing on all a daily basis.  Thus, this makes it even more difficult for the major carriers to keep up in what their policies will cover.  For example, if your business is hit by a Cyberattack, more than likely you will be paid out for the direct damages.  This would include such things as the expenses to bring your business back up to a normal state of business operations, provided that you followed the Disaster Recovery plan that you had in place (yes, the insurance companies even look at this before they make a payout).  But, will they pay for indirect damages and expenses such as offering free credit report services to impacted customers down the road, paying for lawsuits, the costs that are associated with notifying affected stakeholders, etc.?  You could potentially get these kinds of coverages, but it will have to be included as separate addendums or add ons to your main policy.  So, this makes things even more complex.  The direct costs and the indirect costs, in which the latter can prove to be exorbitant in the end and worst yet, even unpredictable.

The above are just some of the main factors in which why the Cybersecurity Insurance is still so murky.  There are others as well, such as the lack of a best standards or practices in which to accept and pay out policy holders. 

In turn, Corporate America is scrambling to find ways to prove to the insurance carriers that they are worthy of having a comprehensive plan at a fair price.

As a result, many of these businesses are turning to Cybersecurity vendors that claim they can calculate your so-called Cyber Risk Score that you can use to show a carrier the level of risk.  In fact, many of them even claim that their process is like calculating a Credit Score.

But be very careful of these claims, as many of these vendors are very guarded in telling you how they compute your so-called Cyber Risk Score.  In fact, because of the lack of standards and best practices, many insurance companies probably would not even recognize this at all in deciding your worthiness to be awarded a policy.

In the end, at least for short term, it is always best to go through an insurance broker that you know and trust, and deal with them directly.  After all, they know all of the ins and outs of this kind of industry, and probably even have the level of contacts that they work with in order to get you the best coverage possible for the most affordable price possible.

But to the business owner, keep this in mind as well:  Just because you have a comprehensive Cybersecurity Insurance Policy in hand not, don’t think you can relax.  Many of these larger insurance will require that you be proactive in your current security protocols, if not you could face even higher premiums, or your policy could be terminated all together. 

Also be aware that you may even be subject to an audit by them just to ensure that you are “up to snuff”.