Responding to a Successful Cyber Siege: The Reassurance of Insurance
Last year, MedStack explored the benefits of a medieval castle approach to internet security, illustrating how companies need more than just a defensive wall and a prayer to keep hackers out. In the same way natural features, a drawbridge, and inner bailey could thwart a medieval enemy, a firewall and two-factor authentication can protect modern businesses.
But as that same article reminds us, perfect security simply doesn’t exist no matter how much we prepare. Sometimes, the worst does happen. While a defense in depth strategy can hold off an enemy, both in a medieval military context and a cybersecurity context, all it takes is one persistent opponent to get to the lord in his keep.
For instance, castles with multiple fortifications did prevent most assaults. But a well-planned siege designed to cut off critical supplies and starve the garrison sometimes led to a surrender, even if it took months. Modern businesses wouldn’t last that long. The startup equivalent of cutting off a castle’s food supply would be locking access to the system that allows it to serve customers and make money. You can easily imagine how quickly your founding team would cave to a ransom demand in order to get back to work.
Patient enemies willing to launch a long siege weren’t the only threat. After some time, humans developed powerful artillery that could blast through a castle’s stone defences. Likewise, a startup’s up-to-date cyber defences are all well and good…until a brilliant hacker halfway around the world cooks up something new.
So does this mean we should throw our hands up in defeat? Not at all. You see, unlike medieval lords who had limited options once they’d been defeated, today’s companies have a convenient way to return to business as usual: cybersecurity insurance.
Here’s the catch: Cybersecurity insurance won’t show up deus ex machina to save the day. For it to be truly effective, it has to cover your specific catastrophe. You need a broker who will cater a policy to your business’s risk profile. The last thing you want is to pay months or years of premiums only to discover you aren’t covered when the artillery hits the fan.
But if you do get it right, your cybersecurity insurance will kick in and help you pick up the pieces to deal with the following scenarios.
Paying the Ransom
Fortunately, most hackers aren’t interested in throwing you out of your startup and running it themselves. Twelfth century lords weren’t so lucky; medieval insurgents were there to stay.
Hackers are usually motivated by money which means they’ll likely do one of two things: quietly infiltrate your system so they can sell data for as long as possible or lock your computers and demand a ransom in exchange for restored access. If you purchased a cyber policy, your insurer could pay the ransom.
Paying for Outside Experts To Assess The Damage
Suppose a hacker doesn’t go the ransom route. Instead, they quietly infiltrate your ranks and sell crown secrets to enemies outside the gates. Once it becomes clear to you and your advisors that there’s a spy in your midst, finding them is a much more complicated matter. You want to find the intruder while also minimizing gossip and continuing regular operations.
For a startup or small business, it works in much the same way. Yes, you’ve noticed that there’s an intruder, but you may not have the expertise to determine how deep into your system they’ve journeyed, what information they’ve compromised, and whether they’ve been completely purged from your system. Figuring this out requires external experts who could put you out about $200 to $400 an hour. That’s money you wouldn’t have to pay out of pocket if you are appropriately insured.
Providing Credit Monitoring Services
There is a slight silver lining here. If you’re in a position to notify your customers and monitor their credit, you’re not dead in the water. You’ve almost come out of this breach alive and kicking. But treading water doesn’t mean you’re anywhere near the shore, and the cost of notifications and credit monitoring may be all it takes to put you under.
In some jurisdictions, regulators require customer notifications. In others, they’re not legally mandated, but ethically appropriate. No matter the motivation, notifications are expensive, time-consuming, and force you to move your staff away from working on core business functions.
Once the notifications are made, there’s still the matter of credit monitoring for customers to flag any fraudulent activity. This can cost $100 to $150 per customer record, annually. Choosing a policy that covers the cost of notification and monitoring can save you a significant amount of money in the event of a breach.
Funding Extensive Damage Control
Trust is difficult to earn back once it’s been lost, and that feeling of betrayal is only intensified if your startup handles highly sensitive data like medical information. After a data breach, it may take a PR firm to win back the confidence of your customers, and you guessed it, they don’t come cheap. As you can expect, funding for PR isn’t a given in every cybersecurity insurance policy, so if this is the kind of support you’d like in case of a breach, be sure to bring it up to your broker so it’s included in the package.
Covering Legal Costs and Regulatory Fines
Let’s say you have a full war chest and you can cover the cost of addressing and investigating the breach, making notifications, and monitoring credit files. There’s still the potential consequences of allowing the breach to happen in the first place. If a court or regulatory body decides you didn’t have enough protection in place to guard your data, you could be looking at some hefty fines or settlements. If this is included in your policy, your insurer will pay up to the covered amount.
Even if you don’t get hit with any fines, you’ll still want an insurance company to help you foot the legal bill the lawyers who defend you will send.
Making Up For Lost Revenue
Even in the luckiest scenarios, there’s still some level of business interruption that takes a bite out of revenue. Once the initial damage is cleaned up, there’s the financial cost of reassigning or hiring employees to deal with the results of the breach. While businesses often remember to include ransom payouts and legal fees in their coverage, costs like business interruption insurance are easily forgotten.
On that note, including contingent business interruption insurance is worth looking into as well if you rely on a third-party vendor to provide your product or service. If they fall victim to a cyber breach, you’re looking at an interruption to your operations even though you weren’t directly targeted. If a third party vendor plays a critical role in your operations, including contingent business interruption insurance in your cybersecurity policy is one way to manage that risk.
Cyber breaches Due to Third Party Negligence
Chances are, you rely on one or more third parties to manage important data. So what happens if they suffer a data breach that compromises your customers’ data, too? If you purchased a comprehensive policy, you’re good, but if you specifically limited your coverage to cyberattacks on your company, you’ll be left to handle the fallout yourself. Target’s much-publicized data breach was due to credentials stolen from a third-party vendor.
Don’t underestimate the damage that data in the wrong hands can cause. As the liabilities related to cybersecurity increase, the onus is on business owners to manage that risk. Unlike that medieval lord, you don’t have to lose control of your entire castle once someone breaches the keep. With the right cyber insurance tailored to your business, you can stay protected even after the worst happens.
About the author
Danish Yusuf is the CEO and co-founder of Zensurance. Zensurance takes the headache out of commercial insurance by identifying the exact type and amount of coverage small business owners need using data analytics. Its digital platform reduces the back and forth involved in finding the right policy, so you can spend less time filling out paperwork and more time building your business.
Zensurance was rated the most innovative company of 2016 by Canadian Innovation Exchange, and has also been recognized for driving significant change in the Canadian insurance industry. Keep up with the latest updates on Twitter @zensurance.