Coverage to Claims:
Tactical Advice to Manage Cybersecurity Insurance Compliance

Cybersecurity Insurance Webinar Recording

Cybersecurity insurance is purchased to cover costs incurred, or income lost during a cybersecurity incident. The last thing you want is to prevent your policy from paying out during an event because of a process mistake, often the leading cause of policy noncompliance. In this article, Onspring Director of Information Security, Nichole Windholz, CISSP, CISM, PMP, breaks down four pieces of tactical advice to keep your organization in compliance with your cybersecurity insurance policies and your information security team working in tandem with legal and your insurance provider.

If you need a refresher on what cybersecurity insurance policies cover, check out our Cybersecurity Insurance Policies Explained article.

Four key takeaways on cybersecurity insurance compliance: 
  1. Know the fine print in your cybersecurity insurance policy

        Why: The devil is in the details regarding what is NOT covered in the event of an incident.

  1. Track the awesomeness of your infosec program 

        Why:  If there is an event, you have everything you need to file a claim with insurance. The cybersecurity insurance underwriting market is volatile, and with an awesome infosec program, you have the leverage to negotiate lower premiums. 

  1. Know your key suppliers’ and partners’ cybersecurity insurance policies

       Why: This helps manage your organization’s risk posture and is imperative for your organization’s critical/high-risk vendors. It should be included as part of the vendor onboarding and renewal process.

  1. 1x per year, partner up with your legal team to negotiate your organization’s cybersecurity insurance policy

       Why: Attorneys are not cybersecurity experts, so keep them honest. You’re not an expert on the law or contract negotiations, so let them do the dirty work.

Cybersecurity Insurance FIne Print

Lesson 1

Know the fine print of your cybersecurity insurance policy

Once you’ve identified the basics of an insurance policy for your organization’s cyber needs, it’s crucial to emphasize the importance of thoroughly reviewing and comprehending the fine print. Knowing exactly what your policy covers– ensuring that you are aware of any exclusions, limitations, and conditions that may affect your coverage—is essential to your cybersecurity management strategy.

Some insurance providers recently updated policy clauses to exclude specific types of cyberattacks to avoid payouts. Additionally, some insurance providers list exclusions for war and hostile acts in their policies, which means that the global geopolitical environment now directly impacts your business whether or not you operate internationally.

For example, in 2017, cyberattacks caused by NotPetya malware were not paid out by some cyber insurance companies, claiming these incidents fell under acts of war given the Russia and Ukraine battle over Crimea. In November of 2022, Mondelez International was working on a settlement agreement after being denied $100 million in damages thought to be covered by its Zurich all-risk property insurance policy. More recently, in May 2023, Merck won a court battle over its damages from the NonPetya malware attack, resulting in a $1.4 billion claim.

Suggested action:

Ensure you have an insurance-compliant incident response plan tested and ready to deploy.
  • Testing is a great time to work with your organization’s business continuity response team to ensure cyberattacks are proactively planned against, and the response protocol aligns with your cybersecurity insurance policy.
  • Ensure the protocol outlines roles and responsibilities for who contacts the insurance company in the event of a cyberattack, who identifies what information is needed from the insurance company, and who is in charge of your incident response retainer, if applicable.

Get started with business continuity & disaster recovery > 

Infosec Program Tracking

Lesson 2

Track the awesomeness of your information security program

In addition to a detailed incident response plan, your insurance provider will need to see metrics around the trends, vulnerabilities, and progress your organization is experiencing regarding cyber risk. If a cyber incident occurs, you will need all information at your fingertips to file a claim with insurance. Evidence of proper reporting can also help you negotiate lower premiums for cybersecurity insurance.

Again, Onspring’s real-time reporting capabilities give infosec professionals visibility and transparency into trends across key metrics, allowing them to properly track cyber risks and plan a response to potential threats, not to mention have clear insights to show to their insurance company and legal team. Discuss how you can track your program and how you can report on your program with auditors.

Suggested action:

Manage cybersecurity insurance policies in cloud-based software to avoid disruptions during an incident.
  • Keeping your BC/DR plans and insurance policies in an environment separate from any on-premise software can help ensure those files maintain accessibility during an attack.
  • Additionally, workflows to manage incident response plans can continue without disruption to keep you on a path to incident resolution.

Learn how to map your policies to cybersecurity risk management efforts > 

Third-Party Risk Exposure

Lesson 3

Know your organization’s exposure from key suppliers and partners

Having a grasp on your insurance policy involves going beyond your internal processes and needs. Make sure to manage third-party risk for your business-critical processes by understanding your vendors’ security program and confirming that it aligns with your requirements.

Ask if your suppliers and partners have cybersecurity insurance, and if yes, know what’s covered in their policy. To maintain visibility into their policy, we recommend including cybersecurity insurance reviews during third-party onboarding and periodically (at least annually) thereafter. Review the audit reports (e.g., SOC2, ISO, etc.) of your key suppliers and partners to make sure they’re doing their due diligence.

You’ll also want to understand what’s included in the SLAs of your key suppliers and partners. So, if a cyber incident occurs, know if their SLA changes and what their processes and timelines are for agreeing to come back online. This timeline will enable you to understand how your business will be impacted and how you should plan in advance for this type of incident. In doing so, it helps you manage your organization’s risk posture and is imperative for your organization’s critical/high risk vendors.

If you’re looking for an easier way to keep track of your vendors’ and partners’ risk profiles and cyber insurance policies, Onspring’s Third-Party/Vendor Risk Management is a great place to start. Through the use of this product, users can easily integrate with SecurityScorecard, which helps customers access more cyber risk data, mitigate, and optimize what’s going on inside their organization to improve their risk posture.

Vulnerability-Remediation-for-System-Security.png

Stay Ahead of Vendor Risk

See how cyber risk data from SecurityScorecard helps companies like yours stay on top of vendor risk.

Cybersecurity Insurance with your legal team

Lesson 4

Partner with your legal team when it comes to cybersecurity insurance

When negotiating your cyber liability policy with insurance companies, it’s important to partner with your legal department. Policies renew on an annual basis, so information security and legal representatives within your company should begin a discussion three to four months before the renewal date and work closely together to complete the insurance application paperwork.

Ahead of your meetings with legal, come prepared with documents summarizing your infosec program processes and results. One way you can make preparations easy is by using Onspring’s Dynamic Documents feature to aggregate results from your security awareness training, EDR or XDR, patch systems, and vulnerability reviews. Your team can immediately spin up a real-time summary of measures in place to protect your organization, current tracking, and responses. This feature allows you to streamline the process of providing the legal team with the information they need to make informed recommendations and decisions regarding coverage levels in cybersecurity insurance policies.

By maintaining an effective infosec program (and being able to provide proof of your efforts with reports that summarize program elements and results), you can help your company receive better cybersecurity insurance coverage at lower rates.

If you’re interested in learning more about how Onspring can help you better track risk and manage your policies, reach out to us at hello@onspring.com.

Request-a-Demo-of-Onspring-GRC-Software.png

Curious about how to protect against cybersecurity risks?

Let’s find a time to talk about identifying, tracking, and reporting on your enterprise-wide risks.

Actionable insights we think you’ll like

  • Finger pointing to dashboard graph

Guide: What is Third-party Risk Management (TPRM)?

Third-party risk management (TPRM) empowers companies to identify, assess and mitigate risks associated with vendors, supplies and partners, safeguarding operations and reputation. Learn how to streamline your third-party relationships while ensuring compliance and security.