Posted on February 22, 2022 by Brent Beecher
Most businesses today understand that the internet can be a dangerous place. As an organization grows beyond the very early stage of one or two employees and a few thousand dollars in sales, the cyber strategy of “security by obscurity” must give way to a balanced and nuanced approach to mitigating the risks posed by the dark web.
To be sure, that balance should include robust technical defenses and organizational training on one hand, and a responsive cyber insurance policy on the other. The cost and effectiveness of each of these varies wildly by products and services a company selects. To intelligently evaluate the spend on these defenses, a business must not lose track of two fundamental facts.
First, it is not possible to eliminate cyberthreats technologically, short of a full unplug. The risks can be dramatically and importantly mitigated, but some of the most secure networks in the world have been successfully hacked. It is not reasonable or responsible to assume a hack of your organization is impossible, regardless of the sophistication of your defenses.
Second, a cyber insurance policy has practical limitations. The first the is scope and limits of its coverage. Just like the physical firewall protecting your network, cyber policies have vulnerabilities, exclusions, traps for the unwary, and conditions that can jeopardize coverage. The second limitation is that, in the event of a serious breach, it may be impossible to reassemble the cracked eggshell regardless of the resources an insurer may bring to bear.
In short, the only sober strategy for businesses with a cyber exposure (and that is nearly all of them) is to proactively mitigate with a combination of technical defenses and the intelligent choice of cyber insurance program. The rational allocation of resources as between these assets requires careful thought and a fluent understanding of technology, insurance policies, and the law that applies to both. Rely on your professionals. The technology and the policy should be complimentary aspects of your company’s cyber defense strategy.
Except when they are not. One method of cyber attack is the encryption of the victim’s data by the hacker, which then sets a price (usually payable in bitcoin) that the victim must pay for the decryption key. Such an attack can be very broad in scope, paralyzing an organization’s communications, work product data, accounting data, etc. There is frequently coverage in cyber policies for the payment of such ransom. Thus at first blush, the insurance policy appears to be filling a gap in the technological defenses and acting cooperatively. But that is not always the case.
By the time they launch an encryption-based cyber attack, a hacker is very likely to have had nearly unfettered and undetected access to your network for a period of months. The hacker is likely to know a great deal about your organization and its electronic files. And one particular electronic file that is highly like to reside somewhere on your network: your cyber insurance policy. That policy will contain all of the details of the coverage you may have for a ransomware attack, including your policy limits and conditions of coverage. Cobbling that information together with the data from your accounting software can give your hacker all the details needed to set the ransom at a level that will drain every last available penny, completely nullifying any benefit of having purchased cyber coverage for this kind of loss in the first place. To add insult to injury, you may have violated a condition of the cyber insurance: that the fact of ransomware coverage be kept secret. Consult your policy for more information.
One solution to this cyber sucker punch is decidedly anti-tech; make sure there is no trace of a cyber policy anywhere on your network, period. No emails with the agent, no bookkeeping entries identifying payments for “cyber insurance,” no documents related to underwriting audits, and absolutely no electronic copies of the policy itself. In fact, one might keep a decoy policy showing no coverage for ransomware attacks in a semi-prominent location on a network drive as its own kind of “insurance.” Keep the real policy written on a dead tree in what people used to call a “file cabinet.” It’s not a perfect solution, and it mitigates just one of many threats, but it might help you avoid the cyber sucker punch.
If you have questions about the need for – and protections provided by – a cyberinsurance policy, please contact Brent Beecher.