2024: Domino Containers - The Next Step. News from the Domino Container commu...
A Look at Cyber Insurance -- A Corporate Perspective
1. Louisville Cyber Summit 2019
What About CyberSecurity Insurance? –
A Corporate Perspective
Da-Wyone Haynes
Product Owner Security Event Management – Transamerica / Aegon Global
IT Sector Chief – Kentucky InfraGard Members Alliance
TALK Board Member
2. What about TALKLou?
Our Mission and Purpose:
• Workforce development and economic development. We look to
create opportunities for job growth, job training, STEAM curriculum,
plus public policy and advocacy around technology subjects in
Louisville, the State of Kentucky, andWashington DC.
• We are a tech council, one of 50+ tech councils in North America,
including Canada and a member ofTECNA (Tech Councils of America
and COMPTIA).
• We are an independent, non-profit educational organization and a
registered 501C3.
• Please find us on the web (www.talklou.com, Facebook, LinkedIn,
andTwitter.
3. A Day in the Life of an IT Professional
We are all about Risk Management
• Compensating Controls
• False Positives
• Acceptable Use
• Acceptable Risk
• Key Control
• Secondary Control
• Tertiary Control
• Governance
• Impact
• Likelihood
• Mitigating Actions
4. Judy Selby – Cyber insurance consultant and former
insurance coverage litigator
“It’s particularly important for small and midsize companies
that lack the financial and technical resources to respond to
a cyber incident. Enterprises need to realize that 100%
cyber security is impossible, given increasing data volumes,
digitization, and work force mobility combined with an
evolving threat landscape and greater regulatory
compliance concerns. Today’s companies should take a risk
management approach to cyber security issues, including
transfer of risk through insurance.” 1
5. Do you need Cyber Insurance?
What are the numbers?
• 70% of companies have some form of Cyber Insurance coverage
transferring the risk to a third party2
• Of the 70%, approximately 25% were spending $500,000 or more on
premiums2
• In 2017, cybersecurity policies only paid out 32% of premiums and this
number was less than the 48% paid in 20163
Buying or owning Cyber Insurance is in no way an indictment of our Cyber Security
posture or program but an acknowledgment that our adversary has to only be
successful with a single attack vector; while we are tasked with implementing
controls (preventive and detective) for many adversaries attacking us simultaneously.
We are after all Risk Managers and transference of risk to a Cyber Insurance policy is
one tool in our belts.
6. Cyber Liability Coverage (First Party)4,5
• Loss or damage to Electronic Data (Property Damage – PCs)
• Loss of Income or Extra Expenses (Business interruption)
• Identity Theft (Business Owner or Employees)
• Cyber Extortion Losses (Ransomware)
• Notification Costs (including Credit Monitoring)
• Reputational Damage (PR campaigns to restore trust)
7. Cyber Liability Coverage (Third Party) 4,5
• Network Security Liability
• Network Privacy Liability
• Electronic Media Liability
• Errors and Omissions Liability
• Attorney’s Fees
• Settlement / Judgements
• Government Fines / Penalties (Regulatory)
• Computer Fraud
• Funds Transfer Fraud
• Cyber Terrorism
8. The Fine Print – Uh Oh!!!
1. In a number of policies that have been issued there is a provision that pays the coverage amount of the
policy if the “Hacker” was an external entity; however, insider threat activities were explicitly excluded.6
2. “Social Engineering” reduction clauses are contained in some companies policies. Specifically, they are
used to limit the payout of a policy value. For example: If you have a $30 million policy but it contains say a
$100,000 limit pay out if the cause of the breach is Social Engineering then the limit is all that is paid to you
if it is determined that the attack vector was Social Engineering. 70% to 90% of all successful data breaches
are due to some form of Social Engineering.3
3. Some policies require specific processes or programs to be in place and will evaluate your effectiveness
“after” you submit a claim. Common requirements are normal and customary:7
a) All software are operating systems are updated (patched to the latest versions)
b) Leverage antivirus software and keep it up to date
c) Maintain regulatory compliance: HIPAA, PCI-DSS, NYDFS, GDPR
d) Monitor the network for anomalies 24/7
e) Maintain a security staff to respond to incidents and ensure all employees receive best practice
cybersecurity training (including Phishing detection and proper behavior when detected
f) Ensure you have a comprehensive and documented cybersecurity policy that is regularly reviewed and
updated
g) Maintain a physical access policy for premises and secure areas
h) Maintain network firewalls, encryption, and segmentation of the network where appropriate.
i) Maintain and perform regular backups of critical systems and a documented BCP/DR policy that is
regularly reviewed and updated
j) Conduct routine External Penetration Tests or Audits
k) Align your processes and procedures to your specific Industry best practices to ensure you are
protecting your business based on what is customary (Due Care)
9. Conclusions and Open Discussion
A reminder, this presentation was not designed to make a recommendation
on whether Cyber Insurance is right or wrong for you, but to – hopefully –
provide information that will be helpful if you currently have a policy in force
or are considering one.
Because those of us in the Cyber Security space consider ourselves family, this
will be the time for us to have a general discussion on your thoughts on Cyber
Insurance, your experience with having a policy, or your trepidations on
purchasing or not purchasing a policy. Please use this this discussion as an
opportunity to make connections with your peers that have experience with
evaluating Cyber Insurance so that you are not starting from scratch.
If you are interested in the companies that are providing Cyber Insurance
policies, please review CyberInsure One8 and the article on FitSmallBusiness:
“Cyber Liability Insurance: Cost, Coverage & More”4
Thank you for your time today.
10. References:
1. What is Cyber Insurance? Do you need it? January 15, 2019 The SSL Store
(https://www.thesslstore.com/blog/cyber-insurance/)
2. What is Cyber Insurance and DoYou Really Need It? CSOOnline
(https://www.csoonline.com/article/3147445/what-is-cyber-insurance-and-do-you-really-need-it.html)
3. Does your cyber insurance cover social engineering? Read the find print – Roger A. Grimes, May 15, 2019 CSO
Online (https://www.csoonline.com/article/3395498/beware-social-engineering-reduction-clauses-in-
cybersecurity-insurance-policies.html)
4. Cyber Liability Insurance: Cost, Coverage & More - Virginia Hamill May 22, 2019 Fit Small Business
(https://fitsmallbusiness.com/cyber-liability-insurance/)
5. What Does a Cyber Liability Policy Cover? October 22, 2018 The balance small business
(https://www.thebalancesmb.com/what-s-covered-under-a-cyber-liability-policy-462459)
6. Computer Crime Insurance – James Chen, August 17, 2018 Investopedia
(https://www.investopedia.com/terms/c/computer-crime-insurance.asp)
7. The Pitfalls of Cyber Insurance – Chris McDaniels,August 21, 2017 DARKReading
(https://www.darkreading.com/endpoint/the-pitfalls-of-cyber-insurance/a/d-id/1329656)
8. CyberInsure One – (https://cyberinsureone.com/cyber-insurance-companies/)