This article was written by James Normand, Security Consultant at FoxPointe Solutions

Cybercrime events cost affected organizations trillions of dollars annually and the monetary damage caused by these incidents is increasing year over year.  Many well-known organizations have acknowledged the unfortunate rise in cybersecurity incidents and the importance of appropriate insurance.  The United States Federal Trade Commission, in conjunction with the National Association of Insurance Commissioners, has published guidelines for organizations considering adding cyber liability insurance to their defensive posture.  Similarly, the AICPA requires that organizations consider the mitigation of risks of business disruption and the use of insurance to mitigate the financial impact of security incidents.

FTC Advice and AICPA Criteria

According to the FTC and NAIC, possible attack vectors that must be considered include, but are certainly not limited to, data breaches, cyberattacks on data held by third party vendors, and cyberattacks on an organization’s own network. Organizations should also consider if their insurance policy could help defend them in connection with lawsuits with regulatory investigations and whether a breach hotline is available to report possible malicious activity.  First-Party insurance coverage can also include legal counsel, coverage of fees, fines, extortion payments, penalties, and public relations activities related to cyber incidents.  Third-Party insurance can cover claims and settlements from lawsuits, litigation, and accounting costs.  The FTC cyber insurance guidelines are available for review here.

AICPA Trust Services Criteria Common Criteria 9.1

AICPA Trust Services Criteria Common Criteria 9.1 describes the risk mitigation procedures that should be in place to ensure that an organization is able to recover from, and offset, the financial impact of loss events that could impair the ability of the organization to meet its objectives.  Common Criteria 9.1 specifically requires that organizations consider the use of insurance as part of the organization’s layered approach to security.  The AICPA Trust Services Criteria are available for review here.

Next Steps

Cyber liability insurance should be considered as part of your organization’s layered approach to cybersecurity.  It should be considered a priority to evaluate your organization’s specific needs against the guidance above and review any requirements set forth by relevant regulatory agencies.  For further reading on developing a robust cybersecurity plan and understanding common types of attacks, take a look at the following articles:

• “How Prepared Are You for a Cyber Incident? Test Your Incident Response Plan to Find Out.” Written by Christopher Salone
• “The Invisible Threat: Social Engineering Attacks and Techniques” Written by Brendan Horton
• “Side Channel Attacks & How to Prevent Them” Written by Jessica Ramirez
• “MitM Attacks and How to Prevent Them” Written by Ryan Krawczyk