Coverage to Claims:
Tactical Advice to Manage Cybersecurity Insurance Compliance
Cybersecurity insurance is purchased to cover costs incurred, or income lost during a cybersecurity incident. The last thing you want is to prevent your policy from paying out during an event because of a process mistake, often the leading cause of policy noncompliance. In this article, Onspring Director of Information Security, Nichole Windholz, CISSP, CISM, PMP, breaks down four pieces of tactical advice to keep your organization in compliance with your cybersecurity insurance policies and your information security team working in tandem with legal and your insurance provider.
If you need a refresher on what cybersecurity insurance policies cover, check out our Cybersecurity Insurance Policies Explained article.
Lesson 1
Know the fine print of your cybersecurity insurance policy
Once you’ve identified the basics of an insurance policy for your organization’s cyber needs, it’s crucial to emphasize the importance of thoroughly reviewing and comprehending the fine print. Knowing exactly what your policy covers– ensuring that you are aware of any exclusions, limitations, and conditions that may affect your coverage—is essential to your cybersecurity management strategy.
Some insurance providers recently updated policy clauses to exclude specific types of cyberattacks to avoid payouts. Additionally, some insurance providers list exclusions for war and hostile acts in their policies, which means that the global geopolitical environment now directly impacts your business whether or not you operate internationally.
For example, in 2017, cyberattacks caused by NotPetya malware were not paid out by some cyber insurance companies, claiming these incidents fell under acts of war given the Russia and Ukraine battle over Crimea. In November of 2022, Mondelez International was working on a settlement agreement after being denied $100 million in damages thought to be covered by its Zurich all-risk property insurance policy. More recently, in May 2023, Merck won a court battle over its damages from the NonPetya malware attack, resulting in a $1.4 billion claim.
Lesson 2
Track the awesomeness of your information security program
In addition to a detailed incident response plan, your insurance provider will need to see metrics around the trends, vulnerabilities, and progress your organization is experiencing regarding cyber risk. If a cyber incident occurs, you will need all information at your fingertips to file a claim with insurance. Evidence of proper reporting can also help you negotiate lower premiums for cybersecurity insurance.
Again, Onspring’s real-time reporting capabilities give infosec professionals visibility and transparency into trends across key metrics, allowing them to properly track cyber risks and plan a response to potential threats, not to mention have clear insights to show to their insurance company and legal team. Discuss how you can track your program and how you can report on your program with auditors.
Lesson 3
Know your organization’s exposure from key suppliers and partners
Having a grasp on your insurance policy involves going beyond your internal processes and needs. Make sure to manage third-party risk for your business-critical processes by understanding your vendors’ security program and confirming that it aligns with your requirements.
Ask if your suppliers and partners have cybersecurity insurance, and if yes, know what’s covered in their policy. To maintain visibility into their policy, we recommend including cybersecurity insurance reviews during third-party onboarding and periodically (at least annually) thereafter. Review the audit reports (e.g., SOC2, ISO, etc.) of your key suppliers and partners to make sure they’re doing their due diligence.
You’ll also want to understand what’s included in the SLAs of your key suppliers and partners. So, if a cyber incident occurs, know if their SLA changes and what their processes and timelines are for agreeing to come back online. This timeline will enable you to understand how your business will be impacted and how you should plan in advance for this type of incident. In doing so, it helps you manage your organization’s risk posture and is imperative for your organization’s critical/high risk vendors.
If you’re looking for an easier way to keep track of your vendors’ and partners’ risk profiles and cyber insurance policies, Onspring’s Third-Party/Vendor Risk Management is a great place to start. Through the use of this product, users can easily integrate with SecurityScorecard, which helps customers access more cyber risk data, mitigate, and optimize what’s going on inside their organization to improve their risk posture.
Lesson 4
Partner with your legal team when it comes to cybersecurity insurance
When negotiating your cyber liability policy with insurance companies, it’s important to partner with your legal department. Policies renew on an annual basis, so information security and legal representatives within your company should begin a discussion three to four months before the renewal date and work closely together to complete the insurance application paperwork.
Ahead of your meetings with legal, come prepared with documents summarizing your infosec program processes and results. One way you can make preparations easy is by using Onspring’s Dynamic Documents feature to aggregate results from your security awareness training, EDR or XDR, patch systems, and vulnerability reviews. Your team can immediately spin up a real-time summary of measures in place to protect your organization, current tracking, and responses. This feature allows you to streamline the process of providing the legal team with the information they need to make informed recommendations and decisions regarding coverage levels in cybersecurity insurance policies.
By maintaining an effective infosec program (and being able to provide proof of your efforts with reports that summarize program elements and results), you can help your company receive better cybersecurity insurance coverage at lower rates.
If you’re interested in learning more about how Onspring can help you better track risk and manage your policies, reach out to us at hello@onspring.com.
Actionable insights we think you’ll like
Guide: What is Third-party Risk Management (TPRM)?
Third-party risk management (TPRM) empowers companies to identify, assess and mitigate risks associated with vendors, supplies and partners, safeguarding operations and reputation. Learn how to streamline your third-party relationships while ensuring compliance and security.
Maturing Your Third-Party Risk Program On-Demand Webinar
As businesses grow, so should their approach to managing third-party risks. Are you ready to evolve your TPRM strategy?
Navigating the Road to Third-Party Risk Management Maturity E-Book
In this guide, we’ll help you understand what a mature TPRM program looks like and how you can get your company there.