Like a credit score, such services provide an outside view of an internal state—in this case, your security posture. They can even help detect breaches and give management an indication of how your company measures up against its peers.
Find out whether or not you are covered
Unfortunately, many companies do not fully understand what their insurance covers. Just as homeowners can be shocked to learn that their homeowners’ insurance does not cover flooding, companies can find that an incident falls outside the coverage of their cyber insurance.
For that reason, think about conducting tabletop exercises that allow you to look at different coverage scenarios. If your network is breached due to the security shortfalls of a third-party app, is your company covered by the insurance policy under consideration? How about if one of your employees picks up a flash drive in your company parking lot, inserts it into her laptop, and takes down your network, causing your e-commerce site to go dark? Is the lost revenue covered?
Many insurers attempt to minimize their potential costs by reducing coverage amounts or including exceptions in their coverage. It’s important to consider those limits when evaluating policies and reviewing scenarios.
Smaller companies and suppliers need coverage too
The average breach from 2013 to 2015 consisted of a loss of over two million records and cost $665,000, according to the NetDiligence Cyber Claims Study 2016. The study found that the majority of claims are made by companies with less than $2 billion in revenue.
As the numbers show, companies of all sizes suffer from cyber events and need cyber insurance, including smaller organizations. Large companies should consider requiring that their suppliers also have a certain level of coverage.
Finally, companies of all sizes need to make sure that their deductibles are not too high and that they understand which factors are considered when calculating damages. If your insurance does not cover an incident because it falls under your deductible, the coverage is worthless.
Sara Boddy currently leads F5 Labs, F5 Networks’ threat intelligence reporting division. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years. Prior to Demand Media, she held various information security consulting roles over 11 years at Network Computing Architects and Conjungi Networks.