Some incidents are unavoidable. You can prepare, but mistakes still happen. Things slip through the cracks. Surviving a cyberattack involves preparation and having a plan in case of a breach. Cyber insurance can be the defining factor in making it past a breach, but finding the best provider may seem overwhelming.
What insurance agency should you go with? How do you know you are making the best choice? How much coverage do you need? Who do you call first in case of emergency? (Queue Charlie’s conspiracy board.)
In a recent conversation with Apptega, Robert Merva, owner and CEO of the security-focused managed services provider Avrem Technologies, and Mercy Komar, an insurance advisor and risk manager at L. Calvin Jones Insurance, help answer some of these crucial questions. This is the final part of a three-part conversation. If you missed parts one and two, check them out here.
The following is a transcript of the conversation edited for clarity.
Robert Hilson – VP, Apptega: Mercy, there are tons of insurance options out there for businesses. What are the things that people need to be aware of when selecting a carrier and looking for the right agent?
Mercy Komar – Cyber Risk Manager, L. Calvin Jones Insurance: There are about 500 insurance carriers in the United States that are currently offering coverage. I tend to stick with the top 20 companies because they can provide the best policies and they also have the best breach response teams.
You need a stand-alone policy, not an endorsement. Endorsements have massive restrictions on them and minimal coverage. It is important that you have a stand-alone policy, and we typically see $1,000,000 in coverage to start.
You also need to be able to find an agent that understands the policies and what they are selling, regardless of if they have a background in cyber.
I teach agents all over the United States. Some of them are very interested, but some of them just don't care as much. You must find someone that cares.
Apptega: And Robert, if the worst happens and one of these breaches occurs, what steps does a business need to take? How do they engage you? What do they need to be aware of in the fallout?
Robert Merva – CEO, Avrem Technologies: The first thing that you need to do is call your breach response team. Your insurance carrier will have a number that you need to call, and they will usually dictate your next steps in order for you to maintain coverage and ensure that your policy is in place.
They will organize a response team consisting of everyone who needs to be involved. This usually is a management team, an IT team, a forensics team, a legal team, and a marketing consulting team if necessary.
The next priority after calling your insurance should be localizing the breach or incident. You do want to stop the breach from spreading and worsening, but you do not want to ruin the forensic information because the insurance carrier will mandate a forensic investigation. This is not something that companies should be handling on their own regardless of the incident. You need to call your carrier and your IT consultant.
Apptega: Are there certain incidents that you have been seeing more than others? What are the other types of incidents or attacks that need to be top of mind for folks?
Merva: Ransomware is the big one because it is the scary one. That's top of mind for everybody.
The attack that's more likely to happen, though, is an e-mail breach; and, for this reason, multi-factor authentication should be a no-brainer for everybody, but we still get a lot of pushback on it. People fall for phishing attempts and some phishing attempts are really, really convincing. There are tons of bad e-mail practices out there and compromised mailboxes are likely a bigger concern and more likely scenario than a world-ending ransomware event.
Komar: I'm seeing a lot of social engineering, too.
Apptega: That’s interesting. Robert, do you have any advice on how people should approach meeting these requirements, protecting their businesses, and being insured?
Merva: It goes back to the same thing that I have been saying for years: People need to take this seriously. I've been having the same conversations with clients and prospective clients for almost 20 years.
It is just crazy to me that we're still having these same conversations. We should be looking ten years ahead to get ahead of the curve, rather than discussing things that should have been best practices or were best practices ten years ago.
It is not always a matter of “if” a cyberattack happens, but rather “when.” Ensuring that you have an up-to-date and effective cybersecurity framework and a strong cyber insurance plan in place can give you peace of mind and an action plan for emergencies. Your business is valuable, so protect it!
For more information, listen to the full conversation here!
To learn more about how you can empower your clients to meet their cybersecurity obligations in an affordable way, while also growing your business, check out Apptega, the only GRC automation platform purpose-built for MSSPs.