This raises an important question: How should small communities think about cyber insurance? In the past year, cyber insurance premiums have become slightly more affordable, but deductibles (or self-insured retention, as they’re typically called) have climbed.
For local communities, especially smaller cities, towns and counties, it’s important to be an informed consumer of cyber insurance to make sure you’re coming out ahead.
Foundational Cyber Insurance Facts
Before getting into step-by-step guidance, it’s important to understand that when it comes to cyber risk, you can mitigate, transfer, accept or avoid it. Whereas certain controls might help you mitigate risk, insurance allows you to transfer that risk.
If you simply accept your cyber risk and get hit with a costly ransomware attack, you will need some sort of self-insurance, maybe through a combination of security bonds or other reserves set aside. For example, it’s common for local governments to self-insure for harms like fire hydrant failures or squad car collisions. But some localities have insurance policies that cover various other losses. If a municipality has either of these mechanisms in place, they need to determine if their self-insurance or policies are sufficient to cover cyber harms. If not, they may need to layer in third-party insurance coverage.
In other words, the question you’re asking when considering cyber insurance is this: If we accept our risk, can we finance our way through, should the bad thing happen? If the answer is no, you probably need some additional form of cyber coverage.
At the end of the day, if IT is crucial to your community, you need to insure it, whether that’s through a surety or rainy-day fund, a captive that various communities pay into as a risk pool, or a third-party cyber insurance policy.
Taking the Right Steps to Get Properly Insured
Any city, town or county that is considering cyber insurance should take the following steps:
Step 1: Conduct a security assessment
There’s no point in reaching out to a broker or inquiring about cyber insurance if you haven’t taken some basic steps to shore up security.
Qualification for an insurance policy is usually contingent upon having a foundation of security controls in place: multi factor authentication, firewall, incident management, patch management and encryption, for example. The controls you have — or don’t have — will also influence your premium and deductible.
Many insurers rely on commercial tools such as SecurityScorecard to determine risk scores based on external factors; think of it as looking into your organization from the outside. This is something you can commission yourself. If you learn you have a poor score, your priority should be to fix that first. Otherwise, you probably won’t qualify for a policy at all.
Step 2: Find out if your brokerage offers cyber coverage
If you’re already working with a broker and have insurance for other assets, layering on cyber insurance can simplify management of the policy, and may even yield a slightly discounted rate.
If your broker does provide coverage, that initial self-assessment starts to come in handy. Brokers will typically give you their own assessment and require that you complete it accurately. These can be tedious, especially for small towns and cities that don’t have a CISO on staff. If you fall into that category, it’s worthwhile bringing in a virtual CISO to help with this part of the process.
LEARN MORE: How to navigate the road to cyber liability insurance.
Step 3: Understand what risk you’re transferring
This part is crucial to knowing what you actually want to have covered. Buying insurance transfers risk. Your job is to figure out how much risk you want to transfer. It’s often not as simple as telling your broker that you want $4 million worth of cyber coverage. In some cases, it makes more sense to get multiple providers to split up the coverage to improve your chances of getting approved for a policy. For example, you may not be able to get $10 million worth of coverage from a single provider, but a provider may be willing to cover the first $2 million, allowing a different provider to cover the remainder. The more you know about your risk, the better suited you’ll be to create a cyber policy or set of policies that works well for your jurisdiction.
Step 4: Adhere to the terms of your policy
To be claim-ready, you must meet certain requirements that are in your policy. These are necessary for you to be paid if you are breached, impacted by ransomware or otherwise afflicted by a risk you’re insured against. The last thing you want is to pay your premiums and not be able to capitalize on the payout due to a technicality.
Once you have the coverage in place, make sure you align your incident response plan to the cyber policy. It’s not always as simple as calling a hotline when something goes wrong. One misstep can cost you dearly, but as long as you’re diligent in your incident response — and as long as you did the legwork in the first three steps — you should be covered.
Every City Needs Cyber Insurance
If there’s only one lesson you take from this post, let it be this: Every city, town and county that can be harmed by ransomware or other cyberthreats ought to insure against those risks.
Again, it’s just a question of how they go about it, and whether they take the necessary steps to come out ahead (or at least break even) in the event of a damaging cyber incident.