The Choice: The choice is yours. Continue to read this article, and you choose the red pill. The true nature of existence will be revealed. Leave now, and you’ve chosen the blue one. You will remain blissfully ignorant. This article isn’t intended to terrify you. However, at the end of it, you might wish you’d chosen blue instead. Sometimes truth is a bitter pill.
The Ransom: In July, 2019, on a sticky summer’s day in Rockville Center, NY, the IT administrator for the school district had a message pop-up on his monitor: “Your data has been encrypted.” He frantically pulled the plug on the infected computer. He limited the damage, but key files were being held for ransom. Fortunately, the school district had cyber insurance. The insurance company paid almost $100K to get the decryption key from the attacker.
A Different Result: Contrast this with the recent ransomware payment by University of California at San Francisco (UCSF) of $1.14M, where they did not have any cyber insurance to pay the ransom. The cost of the ransomware and recovery came from the university’s pockets.
Cyber Insurance: Cyber insurance is protection against the CONSEQUENCES of cyber attacks. This includes data breaches, and ransomware. The insurance covers the costs of: the investigation and forensics, notification and identity recovery for clients, restoring compromised data, and system downtime. Some policies cover losses from social engineering and, like the policy held by the school district mentioned above, cover the cost of a ransomware attack. Like other insurance policies, some items are not covered, such as the loss of future profits and theft of intellectual property.
Just a Piece of the Puzzle: You may consider cyber insurance a part of, but not a replacement for, your cybersecurity business strategy. Insurance companies have been known not to pay out if they find negligence on the part of the insured. Covered companies are supposed to implement industry best practices, policy, and training. Some underwriters will require company-wide training programs prior to issuance of the policy.
What About Me: You might be wondering, “Does my business need cyber insurance?” If you lived in a flood plain, would you get flood insurance? Your business “lives” on a cyber flood plain. One out of every five cyber attacks are against small- and medium-sized businesses. Of those that suffer an attack, over 60% cannot recover from the residual financial loss. So, it’s not only big companies that need it. Small businesses have been flooded right out of business from cyber attacks, when not properly covered.
Transfers Risk: Cyber insurance transfers the financial component of cyber risk from your company to the insurance carrier. If your organization deals with a reasonable volume of Personally Identifiable Information (PII) or Protected Health Information (PHI), you should look into insuring it. The cost of an attack could shut your doors. So, if you are a health provider, a utility, or a government organization, it would be sensible to get a quote. If you run an AirBnB or a small-repair shop, you may be OK without it. Several local organizations have been impacted by cyber attacks, so don’t think it only happens in the big cities. Calculate the risk. If your company was attacked, what would be the impact? There could be stiff penalties from the Department of Health and Human Services — or worse, government scrutiny! So, is your organization prepared for the risk of the cyber world? Would you be like Rockville Center or like UCSF? Consider the options, then … choose wisely.