Insuring a Secure Network in a Work-From-Home World

Insuring a Secure Network in a Work-From-Home World

The workplace of today is radically different from just a few months ago. More of us are working from home and many businesses are finding that “working from home” can be surprisingly productive. Companies in many industries have decided flexible working environments will be part of their culture post COVID-19. But all of these at-home workplaces pose new cyber security challenges and there are some questions you need to ask.

First, how does your company’s exposure to cyber crime increase with more remote employees? Do you know if your employees’ home networks are secure? With hundreds or thousands of employees logging into your office systems remotely, do you have systems in place to protect all of those outside access points?

Most companies understand that formal policies and procedures are vital to creating a strong cyber security posture. But ensuring that best practices are still being followed outside of the office isn’t as simple as sending out an email.

This fall, the Georgia Attorney General’s Consumer Protection Division released a guide to help small businesses, nonprofits and houses of worship protect their data. The guide provides best practices in dealing with data protection and limiting cyber threats, information even more useful now in the time of COVID-19.

Key recommendations include:

  • Install reputable security software on your computers
  • Frequently update systems and software
  • Create strong passwords
  • Be smart when connecting to Wi-Fi hotspots
  • Know with whom you’re doing business

The Georgia Consumer Protection Guide also provides the information needed to create a cyber security program. In addition to what is listed above, businesses should also consider creating an incident response program so that managers and executives know exactly what to do in the event of a breach and can coordinate their response accordingly. This may include formalizing a relationship with a cyber security attorney or a consulting and forensics firm. Having a clear plan and engaging experts early will reduce down time and start your company on the road to recovery. 

It is also wise to create a position in the business — Chief Information Security Officer (CISO) or equivalent —  to lead incident response and management activities. CISOs can also be made responsible for keeping the firm up-to-date with changes in cyber regulations, best practices and to continuously review and improve the firm’s policies and procedures. Regular employee training (annual or semi-annual) is vital and employees can learn important topics, including how to spot phishing emails, why you shouldn’t click random links, what information is private, and when to alert management.

Establishing a comprehensive plan to address a company’s network security and data privacy exposures is a constant challenge. Like most technologies today, cyber scams are constantly evolving and criminals are designing new scams and techniques almost daily so that as soon as a vulnerability is fixed or patched, a new vulnerability is identified and exploited. The constant and growing threat of cyber crime requires a proactive and thoughtful approach by business owners.

A strong defense against cyber threats involves two main actions: first, being proactive in creating cyber security policies and procedures and secondly, building a safety net in the form of a cyber insurance policy.

Understanding the Various Insurance Solutions

Cyber Liability Insurance is a stand alone policy covering a wide array of cyber crimes, from ransomware and cyber extortion to social engineering, phishing and data breach.

Creating cyber policies and procedures and an incident management plan will hopefully prevent most cyber attacks but it’s almost inevitable that a breach will occur. When the worst happens, it’s important to have an insurance policy you can rely on. Not all cyber liability insurance policies are created equally. Each will provide different levels of coverage, with some providing all the bells and whistles and others covering only the basics. The cyber liability insurance marketplace is very competitive right now so you can get a comprehensive policy for just a fraction more than a bare bones policy.

Important coverages (or insuring agreements) include:

  1. Cyber Extortion (for ransomware payments and response costs)
  2. Social Engineering (for phishing attacks)
  3. Business interruption (lost income from downtime resulting from a cyber attack)
  4. Contingent Business Interruption (lost income from downtime of a vendor due to a cyber attack)
  5. First-Party Breach Response (costs you incur to investigate and remedy your systems after a cyber event)
  6. Regulatory Coverage (for fines and penalties levied by a regulatory body)
  7. Reputational Risk (PR costs to monitor and rectify your brand image)

While the market for Cyber Liability Insurance coverage remains competitive, prices are beginning to rise as the frequency and severity of cyber attacks continues to increase.

There are steps businesses can take to help reduce their insurance costs including:

Data Minimization – It’s best to collect the minimum amount of data necessary to perform a specific service or operation. For example, if you are running a subscription service you obviously want the customers credit card information but you wouldn’t want to store other personally identifiable information that is not necessary for normal operations (such as social security numbers, drivers license numbers or biometric information). The number of records is the basis for determining policy premium so the less data, the less cost.

Encryption – This is something that carriers should closely examine. You are sure to pay more for cyber insurance if your digital assets are not encrypted.

Cyber Policies – Companies should have formal written cyber security policies that show insurance carriers your business is proactive in its risk management practices. Carriers will often provide credits if these policies are in place.

How much insurance does my company need?

The question of how much coverage to buy depends on the specific business’s operations and its appetite for risk. Firms who conduct the majority of their business online, operate in a heavily regulated industry, process or store sensitive data, hold data on minors, or provide services around the world would likely want to purchase higher limits than businesses who do not fit any of those metrics.

Small businesses tend to buy around $1M of coverage and prices start around $1,000. More complex businesses with a larger digital footprint or a more hazardous nature of operations from a cyber perspective regularly carry $3M, $5M or $10M and higher.

Businesses also need to determine for themselves how much risk they are comfortable “self insuring.” That’s a daunting task from a cyber perspective as most business owners are not versed in the complexities of dealing with a cyber attack.

Mike Shrubb, Client Advisor

Sterling Seacrest Partners has the ability to provide benchmarking reports to show prospects how much insurance their competitors (same industry, same size) are buying. We also have access to reports showing the type of cyber attack most likely to target their business. Analyzing exposure and then finding an insurance solution that best suits a client’s need is how we provide best in class advice and tailored coverage to our clients.