Omega Technical Solutions Blog
Insurance Companies are Starting to Require Cybersecurity—What Do I Do?
Cybersecurity is quickly becoming one of the leading risks that businesses of all shapes and sizes face. Cyberattacks are expensive, they risk your continuity, and they could even get you in hot water when it comes to compliance regulations, local and state regulations, and virtually any entity you are associated with.
It might feel like this is an insurance company’s way to nickel and dime business owners, as premiums will continue to rise, especially for businesses that aren’t meeting certain requirements, but the truth is, with so much risk, the entire world needs to adjust for cybersecurity.
Why is My Insurance Company Talking to Me About Cybersecurity?
This is essentially happening for most businesses, no matter where you are, and no matter what industry you are in. There are going to be some exceptions—businesses and organizations that are in the healthcare or financial services fields, as well as a handful of other industries that typically deal with more sensitive information, then they might have higher standards, but generally, in order to provide coverage for a business they want that business to be taking minimal steps to ensure that your business isn’t wide open for a cybersecurity attack.
What Cybersecurity Requirements Does My Business Need to Meet?
Your insurance provider will typically give you a list of the things they want you to have. That list will likely include the following things:
- Secured, encrypted data backups
- Strong password policies
- Multifactor authentication
- Email filtering
- Web security and firewalls
- Endpoint detection and response (EDR)
- Vulnerability management
- Security awareness training and testing
They might not be especially clear about how to meet these requirements, and they might use some confusing language. Sometimes, the rep you are talking to might not be particularly technical and might have a hard time explaining things beyond the typical script too. We’ve had clients come to us because they were under the impression that their insurance provider was strictly worried about their website’s security, and we’ve even had clients who strictly follow much more intensive cybersecurity compliance standards who felt that their insurance company was telling them they were missing the mark. To clear these two points up—your insurance company is likely concerned with your all-encompassing IT security:
- How you collect data - your website, emails, vendors, internal endpoints, etc.
- How you store data - your infrastructure, your hosting, the cloud, your backup, etc.
- Who you give access to your data - your staff, your access levels, your vendors, etc.
- How you are protecting your company - your security infrastructure, monitoring, security policies, training, etc.
That involves a whole lot of different technologies, so it’s easy to get caught up on one particular thing—just keep in mind that it’s all-encompassing.
Also keep in mind, your insurance company doesn’t know anything about your network or your overall security. They are simply asking you if you have certain safeguards in place or meet certain guidelines. You might have some of their requirements in place, you might not. Some of them will likely just be policy-based, others will require an actual addition or solution.
Your insurance provider will likely tell you that it will keep your policy costs lower to comply, and if you don’t, your policy will increase, or they might not fully support you in certain situations, etc.
Regardless, don’t make the decision based on how much your insurance policy will increase or decrease. Put that information aside for a moment. What’s more important is that you actually use this as an opportunity to do the right thing for your business.
Check with your provider and make sure that you have their comprehensive list—everything they think you should do regarding your cybersecurity. You are going to use this as a bare minimum baseline.
Cybersecurity Needs to Be Taken Seriously
Here’s the thing though—sure, it might save you a little money over time on your insurance, and you can do a cost analysis to decide if the time to implement and change your IT is worth the lower insurance bill. Chances are, it probably is, but that doesn’t even matter.
What matters is that you are actually protecting your business. You should do this. You need to do this.
If you get hacked or suffer a data breach, you certainly won’t be glad you saved a few thousand dollars only to end up having to file for bankruptcy. You’ll wish you invested in protecting your network when you have to tell all of your customers that their data may have been stolen.
For the longest time, there has been this collective thought that cybersecurity is a luxury item that only big companies can afford or need to bother with. That’s not the case. There are plenty of cases where cybersecurity can become a problem that businesses continue to have to throw money at, but that’s only when you are forced to be reactive. Preventative measures are much more reasonable, and these days, it’s truly something that all organizations need to be taking care of. It’s not a luxury, it’s simply a necessity.
Let’s Audit Your Cybersecurity
Yes, proper cybersecurity can sometimes help you save a little money on your business insurance, and that’s great, but the real value is the fact that your business will be hardened and more prepared to mitigate an actual cybersecurity problem when it happens.
There is absolutely no business that utilizes computers in some way that shouldn’t be meeting these bare-minimum requirements. If your business stores any kind of customer or employee data in any way, or handles transactions, it’s your responsibility to ensure that you aren’t putting that data at risk.
Let’s take a look at your insurance requirements and make sure your business is following them. It’s easier than you think to get started—just give us a call at (703) 743-3056. Don’t put this off!