Fresh Thoughts #39: The #1 Reason Cyber Insurers Don't Pay
- Newsletter
In short...
...because your infrastructure and security measures differ from what was claimed on the cyber insurance questionnaire.
Why is there a difference?
It's bad enough to be a victim of a cyber attack. But to find your insurance won't pay out because you didn't follow the security procedures you stated on the cyber insurance questionnaire is very difficult for any business.
The difference can be for two reasons:
- What was claimed on the insurance questionnaire was not true. This could be a little massaging of the truth or a flat-out lie. In either case… this isn't good. An insurance policy is a contract, and the law is clear - if you breach the agreement, you can't expect a payout.
- Your infrastructure has changed over time… It was accurate, but life and business happened. And resulted in unintended consequences.
But how can an insurer know?
The state of your infrastructure only matters when you want to make an insurance claim. This will inevitably be when you're having problems. You've just been breached, fallen victim to a ransomware attack, or transferred money to a scammer's account.
Your incident response process should kick in whenever you have a security incident. And the main focus of this process is to understand the following:
- the root cause of the incident
- how to contain the incident
- how to fix the problem
So if the security incident was caused by a leaked password and you claimed to only use 2FA...
Or a known vulnerability was exploited while you claimed to have an automatic patching process...
Your insurance company will find out and spot the difference.
Why is this important now?
When the economy gets tight, justifying IT and security costs is essential. Cut what can be cut, but leave what is critical.
It's to be expected that we're working under more pressure. Shorter timelines, fewer people, less service per $£¥. So it's natural to look everywhere to cut corners. But...
Cybersecurity is a process.
You will need to take action tomorrow, next month, and next year. It's a cost of doing business - just like HR, legal advice, and finance.
Cutting a corner today incurs a debt - that you will need to pay down in the future. The sooner you pay the debt, the less compound interest you pay.
How do changes get introduced?
Some changes are easy - and within your control.
When someone joins your team or leaves. Having a Joiners and Leavers process to create and delete access in a structured way means there aren't dormant accounts waiting for a hacker to find and exploit.
When your team trials a new approach or a new service. There are two key areas to check:
- Does the new service have the required baseline security measures? And are they configured?
- Once you've reviewed the new service - clean up. If the approach doesn't work out, the trial service shouldn't have access to any confidential or personal information. If the new process does work out - remove the old way of working and fully migrate. Fewer IT systems are better. They're less of a headache.
But some changes are outside of your control. A security researcher discovers a new method to exploit an application. The app developer publishes a patch.
If you don't apply the patch promptly - the risk of exploitation increases. And your claim of running a patch management process comes into doubt.
What can be done about this?
Firstly, ensure your team doesn't massage the truth on cyber insurance questionnaires. While it can be tempting for short-term gain, no other type of insurance has the level of audit cyber insurance has. Every decision, mistake, and misconfiguration before the incident is logged and available for review.
Secondly, don't commit to policies and procedures you don't have the time and people to sustain. It's tempting to download policies from the internet. But if they're designed for companies with different staffing and investment levels to yours, they will not be sustainable. Simply put, you must fully implement your policies to ensure your insurance pays.
Thirdly, many areas of cybersecurity are "configure once and stay secure". But it's always worth monitoring and where possible enforcing the fundamentals:
- Passwords, 2FA, access controls
- Software patching and support
- Firewalls
- Maintaining backups of personal and sensitive data
Mobile Device Managers (MDM) can help consistently monitor endpoints. If you're using Microsoft 365, depending on your subscription, you may have one bundled with your plan. It can save you a considerable amount of time and effort.
Finally, schedule a monthly review point. Corners will inevitably be cut at some point. But what's changed? What security debt have you incurred and need to pay - before it becomes a problem?
Cybersecurity is a process.
Trim costs and become more efficient, but please don't remove the time it takes to complete the process.
November 1, 20224 Minutes Read
