The choice is yours. Continue to read this article, and you choose the red pill. It will reveal the true nature of existence. Leave now, and you’ve chosen the blue one. You will remain blissfully ignorant. I’m not trying to terrify you. However, at the end of this article, you might wish you’d chosen blue instead. Sometimes truth is a bitter pill.
In July, 2019, on a sticky summer’s day in Rockville Center, NY, a frightening message popped up on the the IT administrator’s computer. He was working for the school district. The message read: “Your data has been encrypted.” The victim frantically pulled the plug on the infected computer. He limited the damage, but the malware was holding key files for ransom. Fortunately, the school district had cyber insurance. The insurance company paid almost $100K to get the decryption key from the attacker.
Contrast this with the recent ransomware payment by University of California at San Francisco (UCSF) of $1.14M, where they did not have any cyber insurance to pay the ransom. The cost of the ransomware and recovery came from the university’s pockets.
Cyber insurance is protection against the CONSEQUENCES of cyber attacks. This includes data breaches, and ransomware. The insurance covers the costs of: the investigation and forensics, notification and identity recovery for clients, restoring compromised data, and system downtime. Some policies cover losses from social engineering and, like the policy held by the school district mentioned above, cover the cost of a ransomware attack. Like other insurance policies, some items are not covered, such as the loss of future profits and theft of intellectual property.
You may consider cyber insurance a part of, but not a replacement for, your cybersecurity business strategy. If Insurance companies find negligence on the part of the insured they might not to pay out. Covered companies are supposed to implement industry best practices, policy, and training. Some underwriters will require company-wide training programs prior to issuance of the policy.
You might be wondering, “Does my business need cyber insurance?” If you lived in a flood plain, would you get flood insurance? Your business “lives” on a cyber flood plain. One out of every five cyber attacks are against small- and medium-sized businesses. Of those that suffer an attack, over 60% cannot recover from the residual financial loss. So, it’s not only big companies that need it. Small businesses have been flooded right out of business from cyber attacks, when not properly covered.
Cyber insurance transfers the financial component of cyber risk from your company to the insurance carrier. If your organization deals with a reasonable volume of Personally Identifiable Information (PII) or Protected Health Information (PHI), you should look into insuring it. The cost of an attack could shut your doors. So, if you are a health provider, a utility, or a government organization, it would be sensible to get a quote. If you run an AirBnB or a small-repair shop, you may be OK without it. Cyber attacks have impacted several local organizations, so don’t think it only happens in the big cities. Calculate the risk. Ask the hard question. What would be the impact If attackers targeted you? There could be stiff penalties from the Department of Health and Human Services — or worse, government scrutiny!
Is your organization prepared for a risky cyber world? Would you be like Rockville Center or like UCSF? Consider the options, then … choose wisely.