4.17.19 – SSN – Yarmouth, Maine – Paul Ragusa
With cybersecurity pervading almost every conversation in security today, one topic that is often an afterthought in the discussion is cyber insurance. One fact that everyone can agree on is that it is not just a matter of “if” a company will be impacted by a cyber breach it is a matter of “when.”
“I think there has been a lot of confusion as to what is available in regard to insurance coverage specifically related to cyber threats to business,” said Robert Tockarshewsky, Vice President, Property & Casualty Group for USI Insurance Services, one of the largest mid-market business insurance & consulting brokerages in North America. “An important first step is performing a simple review of your current policies to understand and ensure that you have the right coverage (or at least understand the limitations of your existing coverage), especially as your business changes and grows.”
Tockarshewsky, who has more than 20 years of experience working within the electronic security and life safety industries, including key roles at Honeywell/ADI and at Underwriters Laboratories (UL), focuses heavily on working to marry the collective issues faced by industry with customized business insurance and risk management solutions for his clients.
“Have a conversation with your insurance broker and find out what coverage you actually possess and then have a conversation with them based on what your current and future needs may be.,” he explained. “Once you understand what you have and what you may need, then it comes down to your company’s risk appetite: Insurance is simply a means of transferring risk. How much risk are you comfortable holding onto and how much do you want to transfer?”
He continued, “What is your greatest concern when it comes to some sort of a cyber breach? Is it your database of customers? Is it your own internal systems controls? Is it the hack-ability of the interoperability of your system if you are a manufactured product that is going in and attaching to a larger ecosystem? So it is understanding what assets are most vulnerable, or believe are most vital to your business operation in the event of a breach, and that could cause a negative financial impact to your business and interrupt your operations as a whole will influence the type and amount of cyber liability coverage to purchase.”
The problem today, he added, is that many times companies are finding out after the fact — after a breach has happened — how little or how limited the scope of cyber insurance coverage they really possess.
“You speak to some of these guys and they say, ‘I spent so much money on the latest and greatest products and I made sure that all of my operators have gone through x, y and z training and yet my company still experiences daily cyber attacks and I feel no more confident in withstanding these attacks.,” he said.
In addition to having some cyber insurance coverage as part of a company’s general liability policy, Tockarshewsky noted that there are separate individual policies that relate directly to either a piece or a more comprehensive cyber coverage approach. USI cyber and technology risk experts are frequently asked by companies to recommend the best cyber insurance protection.
“The good news is, there are a lot of different ways you can go that are pretty cost-effective, so it is not like we are talking about tens of thousands of dollars to protect your company, big or small, to get a million dollars in cyber coverage,” he explained. “And a lot of times you are going to need larger coverage limits because in the breaches that occur, it is not the just the cost of the breach itself, it is for the costs associated with restoring your reputation, for the down time experienced with the business interruption, whether it is several days or many, until you are up and fully running, as well as litigation costs to defend yourself, for example.”
As cyber threats are becoming more sophisticated, Tockarshewsky is seeing more long-term scenarios playing out, where someone may gain access to your system, or have found a way to hack into your product, yet hold this knowledge until they find the right time to strike.
“At USI, we witness so much of this, and not enough active (or even corrective) risk mitigation steps being taken to help uncover these ‘bad’ scenarios,” he noted. “USI professionals engage with all levels of our clients’ organization to review best practices specific to the risks of the company, and the industry as a whole. , Because we are a large business insurance brokerage that works across many different industries, we see a lot of the latest and differing types of cyber threats that may not have come to the security/life safety industries yet. Understanding that this is happening elsewhere in the world today helps industry business owners plan their strategies for the future.”
In addition, it is vitally important that a company has a strong cyber-incident response plan (CIRP) in place.
“We talk about this a lot, as we see many companies having only one or two individuals who are in charge of the response mechanism when a company breach occurs. Surveys have shown that the longer that a breach has occurred or is allowed to occur, the more costly it is,” he explained. “If there is a delay in getting a hold of that person, the CTO, for example, that delay costs money. So having a solid CIRP in place is critically important.”