When a cyberattack hits, it’s the worst day of a company and an IT leader’s life, said Kevin Mekler, partner at Mullen Coughlin, a Devon, Pa.-based law firm.
“I start every phone call with a new client telling them that they’re about to have the worst 72 hours of their life,” said Mekler, whose job is to come into a company and, from soup to nuts, take people through a cyber incident.
Mekler joined Andy Anderson, co-founder and CEO of Sunnyvale, Calif.-based Datastream Insurance, and Blaine Carter, global CIO of FranklinCovey, a Salt Lake City-based business skills training and services firm, for a panel discussion on cybersecurity insurance and the midmarket at CRN parent The Channel Company’s Midsize Enterprise Summit in Orlando, Fla., this week. The panel was led by Adam Dennison, vice president of Midsize Enterprise Services at The Channel Company.
As cybersecurity breaches and high-profile ransomware attacks are on the rise, IT leaders need to take a deeper look into their cyber insurance policies.
Throughout the panel discussion, Dennison polled the audience through Slido, a real-time interactive website and application that conducts live polls to get immediate feedback.
At one point, Dennison asked audience members how they determined the amount of cybersecurity coverage they should get. Forty-one percent of the 103 who responded said their company established a formula to determine coverage, while 32 percent said they worked with a consultant.
“[Cyber insurance is] driving so many conversations,” Anderson told the IT leaders in the room. “You’re expected to be the architect for your systems, you’re expected to be the chief engineer, perhaps the chief custodian as well to clean up all the messes. And then you’re also expected to be the fire marshal and probably the head coach of the biggest game that your company’s ever going to play, and that’s a cyber incident. Unfortunately, most of you don’t know when that game is going to start or when you’re going to play.”
He said if nothing else, the panel hoped to help IT leaders figure out what their playbook looks like because a cyber insurance policy “is probably going to determine your roster and your budget.”
Here are the top three tips IT leaders should remember when implementing a cyber insurance policy.
Have A Plan And Work Through It
Mekler said IT leaders not only need to have an incident plan in place but they need to work through the plan as well “because working your plan will help you understand what it’s really going to look like. You don’t know what it’s going to be until the bell goes off,” he said.
“If you haven’t practiced it, and you don’t know who the decision-makers are going to be or what the funding is going to look like, you’re way behind and you’re going to be playing catch- up for most of it,” he said. “It’s going to cause a lot more damage.”
Mekler said he has seen an increase in the number of companies with a policy in place but in some cases the policy has “been on the shelf for five years.”
“[The policy] has to be dusted off and thought about much more often,” he said.
Carter said it’s also important for IT leaders to change their philosophy “so you’re not sitting there on game day calling up people and saying, ‘Hey, what do we do?’”
IT leaders need to practice the plan often so hiccups can be smoothed out, he said.
“A lot of the hiccups aren’t on the technology side but more with public relations on who’s able to speak to the incident and what kind of language is approved,” he said.
Avoid Common Mistakes Like Only Storing The Policy Online
IT’s important for IT leaders to be mindful of where to store policy documents because sometimes those online documents could be encrypted if a ransomware attack occurs.
Carter said IT leaders should see if paying the ransom is in fact part of the policy, as well as what to do if their stock price drops.
In the Slido poll, attendees were asked if they had an incident response plan that they rehearse on a yearly basis. Of 68 respondents, 62 percent said no.
“It’s good to see honesty because I think a lot of times there’s a little bit of shame,” Carter said. “It’s good that people are saying, ‘We don’t have a response plan at all or it hasn’t been rehearsed.’ Everyone has to make the decision themselves that this is a priority. They have to spend the time to not only come up with [a plan] but also go through and ensure that it stays current.”
Meckler said IT leaders need to know how U.S. Securities and Exchange Commission regulations impact insurance coverage as well. While rare, he said he has seen some hackers go after the insurance policy’s playbook “and once they’re there, they start running scripts to look at certain files.”
But that shouldn’t deter anyone from getting comprehensive policies, he said.
“It provides you instant access into a network of professionals to supplement and buffer the people you already have and the people that you don’t have yet,” Mekler said.
Know The Details Of The Policy
Anderson said policies do differ but the majority are reimbursement policies.
“Some are half where you’re going to pay for your retention and your deductible,” he said. “But with those are ransomware demands. If you had to come up with a couple of million dollars in a couple of days and give it to someone who is going to convert it into bitcoin, could you do that?”
And IT leaders shouldn’t just look at the top number on their policy. Look at the sub-limits to see what is covered and what is not. Determining whether to pay the ransom and how much to pay is a decision only the company can make, Mekler said.
“There are certainly ‘need’ buckets and there are a lot of ‘want’ buckets,” he said. “If you can’t open your doors and it’s going to close the business down, you’re probably going to be in the need bucket. If it’s, ‘They might have taken some stuff and I want to try to pay for some data suppression,’ that’s probably a want bucket.”
When it comes to negotiations, Mekler said it’s all about bringing in the right people.
“The value of that is immeasurable,” he said. “We are working with teams to actually formulate the negotiations to put the strategies in place and to adjust those strategies because there is a methodology to it. These guys are businessmen on the other side. Yes, they’re criminals but they are businessmen. If you deploy a lot of those strategies, then you will drive that number way down.”
Knowing those strategies up front are crucial, he added, so that business interruption is minimal during an attack.
“Tabletop exercises and putting a plan together are incredible tools to help make what is often a very amorphous topic very real for not just people in this room but the people that you report to,” Anderson said.
Hamid Khaleghipour, executive director of business performance and innovation for the City of Addison in Addison, Texas, said he was going to follow up with Mekler regarding government rules and regulations when it comes to cyber insurance policies.
“I want to see how he could help in the state of Texas because the state of Texas has its own rules and regulations,” he said. “I want to see if [his services] could fit into their regulation based on some of the cybersecurity plans and incident plans that we have in place. Since we are local government, we have to contact the FBI and other agencies if a ransomware attack happened because we are supporting public safety.”
He said his executive team luckily knows about the importance of an incident response plan and has one in place, but he wants to try some of the rehearsals outlined during the panel so that they’re ready should an attack happen.
“I‘m going to recommend a tabletop exercise because that [can identify] a lot of issues that you think you have under your belt but you don’t,” he said.