To Cyber-Insure, or not to Cyber-Insure…that is the Question
Steven Cohen, VP Herjavec Group
Last week BitPay filed a lawsuit against insurer MBIC to recover amounts denied under a commercial crime policy. It has been reported that in December 2014, hackers were able to pull off a social engineering attack against a BitPay executive, resulting in 3 separate transfers of 5,000 bitcoins (valued at $1,850,000).
This incident is particularly striking because of the fallout that occurred after BitPay turned to its risk mitigation plan to help the organization recover from the event. The company had a cyber-insurance package that was acquired from their insurance provider but their claim was denied.
Businesses use different types of insurance as an instrument to manage risk exposure and ensure that operations can recover & continue in the event of a major incident. When an insurance claim is refused, this can create significant distress for the organization, often resulting in the business not fully recovering or potentially becoming insolvent. Common reasons for insurance claim denials include: Misrepresentation of an insurance claim, false or fraudulent claims, unlawful acts associated with the claim or that the claim is not properly covered under the insurance policy.
The situation is further complicated due to the fact that cyber-insurance remains a very new field. Coverage for cybercrime is still evolving and there are few mechanisms to validate if an organization is properly secure prior to becoming insured. Additionally, the requirements for organizations to be properly protected are changing rapidly, requiring there to be a constant review of the levels of protection and visibility available in order to maintain insurance coverage.
There are several key lessons learned that need to be recognized by business leaders as a result of the BitPay and MBIC lawsuit:
1. Insurance is not a replacement for security best practices. Business leaders need to ensure that their organization is meeting baseline security practices.
2. Cybersecurity Insurance is a new field. Organizations need to be clear on what is covered (and not covered) in their cyber-insurance policy.
3. Businesses must work closely with the insurer to confirm expectations & understand the processes in place for when and how an insurance claim will be covered.
4. Organizations should work with a reliable security partner to ensure that security best practices are being met. Independent audits are a good mechanism to validate that security is properly employed and these audits may be mandated by an insurer. Any security gaps should be remedied prior to obtaining insurance coverage.
5. Every business needs a security framework. The framework is a clear approach for protection, detection and response in order to identify key threats, manage events immediately and minimize damages.