Effective Cyber Risk Management Requires Transparency
Cyber risk is manageable. But only if everyone involved in managing that risk is on the same page. Typically, when new cyber threats are detected or announced, cyber insurers notify their policyholders and encourage them to swiftly remediate potential risks. Likewise, if a policyholder notices something unusual, the hope is that they report it promptly.
Yet some policyholders do not call their cyber insurer until it’s too late. There are many reasons why businesses may be hesitant to report. They might not be aware of the threat itself or the severity of an issue, or they may equate informing their insurer of unusual cyber activity with the commission of a costly investigation and that time and effort will be needed to submit a formal proof of loss.
Businesses are judicious in what they report out of concern for substantial costs, increased premiums and other negative repercussions. They sometimes focus more on managing their self-insured retention (SIR) than on the threat and the impact, which can extend beyond the costs covered under a cyber policy and include customer and employee confidence and the business’s reputation.
However, speed and responsiveness are essential when managing cyber risk. For cyber insurers and policyholders to effectively mitigate cyber risk and decrease the number of claims and losses, that perception needs to be changed and replaced with a culture of transparency and collaboration that encourages policyholders to use the resources at their disposal.
Transparency Begins with the Application Process
To mitigate their cyber risk, policyholders must be transparent, and transparency begins during the application process. All of a company’s online assets can be entry points into its system. Therefore, cyber insurers need a complete list of an organization’s assets—including all domains, subdomains, and IP addresses—to assess the company’s cyber risk as a whole.
Sometimes, businesses without a public-facing website feel safer from cyber threats. However, these organizations use other online assets, including email servers that host an abundance of data or may contain other vulnerable services, such as remote connection tools or even cloud-based point-of-sale machines that may seem disconnected (but are, in fact, not). As a result, a business can be vulnerable to threat actors even without a website.
Cyber insurers can only provide feedback and protection on what they know. With a complete and accurate picture of an organization’s network and digital assets, a cyber insurer can identify an organization’s open ports, what technologies they use, and what security misconfigurations or vulnerabilities exist in their digital infrastructure.
Timely Reporting = Positive Outcomes
With cyber insurance, timely reporting can be the deciding factor in whether an incident develops into a costly claim.
For example, the first 48 hours in funds transfer fraud cases are critical. FTF is a type of cyber-attack that causes a victim’s funds to be sent to the attacker’s account instead of the proper recipient. If a business promptly notifies its cyber insurer of the fraud event, the insurer has a significantly higher chance of recovering stolen funds and returning them to the policyholder’s pockets.
FTFs are unique from a claims perspective because two different things are happening in parallel. In addition to attempting to claw back the stolen funds, an incident response team is working to determine what caused the event, collaborating with the policyholder to remedy whatever was compromised and mitigate future risks.
Regardless of the type of incident, cyber insurers may open a claim file when a policyholder reports a matter, whether it’s a claim or incident that falls within coverage, an event that doesn’t qualify for coverage, or merely suspicious activity. However, for anything other than a claim or an incident, the policyholder’s loss run will likely still show a $0 amount.
Take advantage of pre-claims services
Pre-claims services can significantly enhance a business’ security posture by helping to immediately address security concerns and better prepare to handle future threats.
Policyholders with a SIR will likely be hesitant to report a matter, fearing that doing so will incur costs. Businesses with higher SIRs are also typically bigger operations with capable internal IT teams, so they may feel inclined to address issues themselves. However, this is exactly why insurers provide pre-claims services: to prevent larger losses and maintain lower overall costs associated with cyber claims. Policyholders can use pre-claims services without depleting their policy limits, reducing their potential out-of-pocket expenses.
Pre-claims services come into play during the incident assessment process. While spoofed emails are usually incidents that don’t end up resulting in a claim, there are many instances of ransomware in which the policyholder waits until encryption to contact their insurer—which is often too late—rather than alerting them upon the first indication of suspicious activity. Taking advantage of pre-claims services can help address security concerns before they develop into active breaches, an approach that’s financially beneficial for both the insurer and policyholders.
Collaboration is Key
Cyber risk is part of the cost of doing business in today’s modern world but managing it via cyber insurance shouldn’t be complicated or intimidating. Partnerships between policyholders, insurance brokers, and claims professionals can reduce the frequency and severity of claims, which benefits all stakeholders.
Cyber insurance policyholders should always feel comfortable reaching out, asking questions, and reporting potentially unusual activity, even if they’re unsure of what’s wrong. Reporting suspicious activity can be the difference between a full recovery and a multimillion-dollar cyber claim (and its impacts on customer and employee confidence and overall business reputation).
Jones is head of global claims at Coalition, where he leads the development of the company’s global claims offering. Before joining Coalition, he spent 32 years at AIG, most recently as executive vice president of financial lines, specialty claims.