For many firms, cyber liability insurance provides critical protection from financial loss stemming from a cyber incident, from legal damages and business interruption, to crisis management and investigation expenses. But as it’s a relatively new, evolving, and very specialized type of insurance, businesses must exercise due diligence when shopping around for a new policy or looking to renew their coverage.
BDO’s Vivek Gupta and Chetan Sehgal, Partner and BDO Leader, Forensic Insurance Services, have five practical pointers for leaders:
1. Hidden vulnerabilities typically come to light only after a successful attack. Conduct a risk assessment of your control environment and develop a prevention program—or work with a firm that can—to purchase the most appropriate plan for your needs. A cybersecurity and forensics partner like BDO can also conduct a cost-benefit analysis to identify your blind spots so you can focus your insurance coverage on those areas, or, better yet, remove those blind spots prior to applying for insurance to avoid denial of coverage or high premiums.
“Once you understand your control environment, you can request quotes from several different underwriters to compare coverage options and conduct proper due diligence on not only the policy, but the insurance company.”
2. Work with your insurance broker or underwriter to ensure the policy fits your type of business and that you’re fully aware of what’s covered—but more importantly, what isn’t covered.
“Review various cyber insurance options, familiarize yourself with the policy, and ask the right questions. We recommend that you be very mindful when selecting a policy to make sure it will apply to your situation. Work with experts who specialize in cyber insurance and have experience in your industry and geography to ensure you are getting the best possible advice.”
3. Also, select a response team you trust.
“If you’ve had a breach, it’ll throw you into utter chaos as you try to be as operationally viable as you can. Dealing with an underwriter and other advisors you're comfortable with will make that process as smooth as possible. An effective response to a cyber incident is one that has been devised as part of contingency plan strategies and risk management. You need to have a team in place that can help you respond on short notice, including legal counsel, cyber breach professionals, and claim consultants or accountants.”
4. Take time to understand the policy fine print. Insurance policies aren’t created equal and with cyber insurance being a relatively new product, many buyers aren’t aware of the pitfalls associated with these policies.
“Some insurance companies will conduct an assessment before they provide you with a policy and premiums. You have to understand what you're signing up for and what your responsibilities are to protect yourself. As the loss ratios on cyber claims have skyrocketed in the past year, the amount insurers cover appears to be declining while premiums are rising.”
5. Implement a comprehensive suite of cybersecurity controls and protections.
"Some clauses in insurance policies state that unless it can be determined that an organization had the right preventive controls in place, they will not issue a payout. Also, the more robust your controls are, the lower the risk of a breach, and that's going to affect the premiums you pay."
Reactive and proactive cybersecurity measures working together
Above all, business leaders must not lose sight of the fact that cyber liability insurance is a reactive solution and does not prevent an attack from happening. That's a serious gap—because loss from cyber crime isn't just financial; it brings disruption to organization’s culture, operation, and reputation.
That means insurance is only one piece of the cybersecurity stronghold.
"Insurance is important because cyber attacks are happening more often, and it allows you to recoup some of your losses—but the bigger piece of it is prevention and addressing the root cause, which is plugging the holes in the potential for those attacks. You can't rewind if data is exposed," observes Michael Macdonald, BDO Senior Manager, Forensic Disputes & Investigations.
Businesses that double down on developing a well-designed business network defense strategy, securing their endpoints, and launching proactive detection and response mechanisms are better primed to recover with minimal damage.
How BDO can help you understand your cyber insurance needs
From quantifying the post-incident losses to proactively helping you understand the appropriate level of coverage, BDO can support your business throughout the insurance cycle.
We often get retained to deal with post-incident response, but our counsel doesn't stop there. Our cybersecurity and digital forensics team can help fortify your organization using proactive tactics that include focusing on employee awareness and training, conducting due diligence on your company's preventive controls, and quantifying risk to help you ensure the cyber insurance policy you choose meets your needs.
The value of working with BDO includes:
- Cybersecurity starting at the core—To help you choose the most relevant cyber insurance policy, we identify your key data assets and test for application and infrastructure vulnerabilities. Focusing on the internal controls that help prevent cyber incidents from happening in the first place, we perform a cyber assessment of your digital environment and set achievable goals by developing an effective cybersecurity strategy.
- Round-the-clock cyber support—Our team knows that fraudsters, hackers, and cybercriminals don't work a 9 to 5 schedule. Our professionals are available any time of day, all days of the week, to help your business rebound in the event of a cyber incident.
- Comprehensive services—With a vast team across various disciplines and areas of expertise, BDO has the ability to address collateral damage associated with a breach. Our legal support team, for example, can assist with data breach response and litigation.
- An applied approach to identify vulnerabilities—BDO can help you build or evaluate your company's incident response plan using techniques like ethical hacking simulation exercises and network penetration testing. Addressing the people component of cybersecurity, we can run phishing simulations to build employee detection skills and provide training on spotting and reporting suspected phishing attempts.
Connect with BDO now to assess your online environment, understand your potential exposure, and set up the right controls to defend against cyber threats.
Vivek Gupta, Partner, Cybersecurity
Chetan Sehgal, Partner, Forensics & Litigation Support