Cybersecurity Insurance For Law Firms Across Canada
Have you been researching cybersecurity insurance, but aren’t sure if you qualify? Before you can secure coverage from a carrier, you need to do your due diligence and enhance your cybersecurity.
The somewhat inevitable nature of modern cybercrime has led businesses to consider cybersecurity insurance as a final layer of reassuring protection.
Unfortunately, that’s easier said than done. Many insurance providers have begun requiring stricter cybersecurity standards, and now draw a clear line between normally covered losses and those incurred by cybercrime-related events.
That means that if your cybersecurity doesn’t meet the standards of your insurance provider, you may not be as well covered as you think.
Coverage & Premiums Depend On Your Cybersecurity
Meeting the stipulations laid out by cybersecurity insurance providers may not be easy depending on the state of your cybersecurity posture. Modern cybersecurity has become so complicated that you can’t expect a simple cybersecurity defence to be sufficient.
That’s why cybersecurity insurance carriers are expecting so much more from the organizations they cover. They don’t want to risk having to pay out millions on their policies, and so, they raise their standards and ensure businesses like yours are properly defending their data.
Curious as to what these standards actually look like? Check out these questions from a real cybersecurity insurance policy application…
What To Expect On Cybersecurity Insurance Application
- Does the applicant store, process, transmit or have responsibility for the below classes of data?
Check all that apply:- Protected Health Care Data
- Credit Card Data
- Biometric Information
- Please indicate the total number of private records the applicant stores, processes, transmits or has responsibility for: __________________________
- Does the applicant encrypt private information? Check all that apply:
- It is transmitted over public networks
- It is stored on a mobile device
- It is stored on enterprise assets
- It is stored with a third-party service provider
- It is stored on an employee device
- Does the applicant back up critical data? Check all that apply:
- Onsite
- Offsite
- Online
- Offline
- Daily
- Weekly
- Monthly
- Other: ___________________
- Please indicate all the following security protocols the applicant currently employs. Check all that apply:
- Up-to-date, active firewall technology configured to restrict inbound and outbound network traffic
- Up-to-date, active anti-malware solutions on all networks, computers and mobile devices
- Critical Software Patch Management (Critical patches installed within thirty (30) days of release)
- Multi-factor authentication for remote access to the applicant’s network
- Remote access to the applicant’s network limited to VPN
- Cyber incident response plan to respond to a network intrusion or disruption
- Disaster recovery plan, business continuity plan or equivalent in place
- Annual security awareness training for all employees
- Enforced password complexity requirements
- Does the applicant employ advanced security applications to prevent ransomware attacks?
- Please indicate the policies the applicant has in place that apply to vendors with access to the applicant’s computer system. Check all that apply:
- Written vendor information security controls
- Formal process to revoke vendor access rights
- Review and update of vendor access rights
- Monitoring/logging of vendor access
- Does the applicant make payments to third parties via wire transfer?
- Does the applicant have a formal wire transfer process?
- Does the applicant require anti-fraud training, including social engineering, phishing or other fraud schemes, for all employees responsible for authorizing and executing funds transfer requests?
- In the past five (5) years, have any Cyber Liability. Privacy Liability. Professional Liability/Errors & Omissions or Cyber Crime Event claims or suits made against the applicant or any employee, officer, principal or other proposed Insured?
- In the past five (5) years, has the applicant experienced any network security or privacy breaches, including unauthorized access, unauthorized use, unauthorized disclosure, malware, ransomware, denial of service attack, theft or destruction of data, fraud, electronic vandalism or other security events?
- Does the applicant, its employees, officers, principals or any other person or entity proposed for insurance have knowledge of any circumstances, act, error or omission which might give rise to a claim(s) or cyber event under the proposed policy?
Will Cybersecurity Insurance Completely Protect Your Business Against Cybercrime?
A common misconception is that a cybersecurity insurance policy is a catch-all safety net, but that’s simply not the reality. Without a comprehensive cybersecurity strategy in place, a business may not qualify for a policy in the first place.
Furthermore, in the event of a hack, a business may not qualify for full coverage if their cybersecurity standards have lapsed, or if they can be found to be responsible for the incident (whether due to negligence or otherwise).
The core issue is that as cybercrime becomes more common and more damaging, insurers will become more aggressive in finding ways to deny coverage. It’s in the interest of their business to pay out as little as rarely as possible, which means the policies will tend to rely on a series of complicated clauses and requirements that covered parties have to comply with.
A key example of this is when Mondelez International was denied coverage for the $100 million of damage they incurred from the NotPetya attack. Their insurer, Zurich Insurance, cited the obscure “war exclusion” clause, claiming that Mondelez was a victim of a cyberwar.
This is not an isolated incident. As discovered by Mactavish, the cybersecurity insurance market is plagued with issues concerning actual coverage for cybercrime events:
- Coverage is limited to attacks and fails to address human error
- Claims are limited to losses that result directly from network interruption, and not the entire period of business disruption
- Claims related to third-party contractors and outsourced service providers are almost always denied
All this goes to show why business owners need to look carefully at the fine print of their cybersecurity insurance policy and ensure their cybersecurity standards are up to par. No one should assume they’re covered in the event of a cybercrime attack—after all, for every $1 million paid in premiums, insurance companies only pay out $320,000 in claims.
3 Steps To Qualifying For Cybersecurity Insurance
Assess Your Infrastructure
The best way for you and your team to determine the kind of coverage that is best for your organization is to understand your IT infrastructure. By evaluating your systems from top-to-bottom, you’ll have a clear idea of all the different access points that could be leaving your network vulnerable to threats.
Remediate Your Vulnerabilities And Risks
Don’t forget to look into how investing in your cybersecurity could save you money on premiums. Open up a dialogue about it with your potential Cybersecurity Insurance provider and see what they suggest.
Continually Reassess
Next, it’s best practice to conduct a risk assessment and an impact analysis. Carefully review all your organizational assets—including financial data, customer information, and intellectual property.
Categorize assets according to risk and make considerations for the potential impacts that a data security event could have on all aspects of your business.
Not Sure How To Answer Cybersecurity Questions?
Allow us to take care of it for you. BMC Networks can help you improve your approach to cybersecurity.
Our team provides cybersecurity and technology services for businesses like yours—we are available to help you develop a robust cybersecurity defence.
We can ensure you qualify for a policy and minimize the chance that you’ll have to make a claim on your cybersecurity insurance.
Get in touch with our team to get started.
