Poor IT security, cyberinsurance, and lawsuits
As cyberinsurance continues to become a critical part of IT & risk management for businesses, there are a few recurring problems. The biggest one is that cyberinsurance policies rely on a long application with in-depth questions about IT security controls. This leads to:
Insurers refusing to cover/renew a company due to poor IT security, such as a lack of simple controls like multifactor authentication (MFA).
Companies/IT not understanding what is being asked and answering incorrectly. We’ve seen this happen several times with business owners who filled out the application to the best of their knowledge, with no input from IT.
Applicants outright lying (well, maybe. It has happened in other types of insurance so it is not a stretch to assume!)
For those with client compliance requirements such as law and financial firms, these same concerns apply to annual/quarterly due diligence audits.
Additionally, applications with incorrect or inaccurate information can lead to lawsuits. Historically, stand-alone, comprehensive cyber policies have always paid out but that is starting to change as the insurers catch on to the lack of IT security in many businesses. Last week, Travelers filed a lawsuit against one of their insureds for an almost complete lack of MFA, despite indicating otherwise on their application.
The sad part is that the security requirements from insurance companies are easily achievable, especially MFA, and it is negligent to not have it turned on today. Office 365, G Suite, etc. have MFA built-in at no additional cost, and the security advantages are well known.
What are the takeaways from the cyberinsurance lawsuit?
Always involve a qualified person from the IT team when completing cyberinsurance applications.
Establish a high baseline of IT security controls before an application asks for them.
If your team lacks the expertise, there is plenty of third party expertise available to help.
Hopefully your parents taught you to never lie - take that advice, especially when filling out legal documents!
Is your IT struggling to build and plan for security, risk, and compliance? At Clear Guidance security is a cornerstone of our business, and baked into every IT offering. We excel at supporting clients with high security and compliance needs. Talk to a partner today.