Could Cyber Insurance Soon Become Mandatory For All Businesses?
By Brandon McCrillis
Many organizations today choose to purchase cyber insurance policies to protect their business from the impact of a cyber incident. It’s important for businesses to realize that a beefy cyber insurance policy should not be a replacement for good information security practices.
Recently, the Food and Drug Administration (FDA) publicly criticized Abbott Labs (which acquired St. Jude’s) over the lack of risk analysis and security precautions taken by the company regarding its implanted medical devices. Also criticized, were two patient deaths from an implanted device battery malfunction. These actions by the FDA were result of a research firm publicly announcing security flaws found in Abbott’s products.
Before releasing publicly, the research firm placed a large Wall Street bet that St. Jude’s stock would plummet. Abbott is currently suing the firm over its short-selling tactic and actions by the FDA have sparked debate on whether, or not, cyber insurance replaces good security practices and risk mitigation techniques when protecting your business from a cyber event and if there should be more security oversight.
Cyber security of medical devices has been an area of concern for a while now, and too many medical devices are hopelessly vulnerable. Former Vice President Dick Cheney famously required that his implanted medical device have its wireless communication capabilities disabled to “thwart hacking.” The risk is real, documented and excised.
With tech-driven business today, no matter the vertical, every business could be impacted by a cyber incident or event, and that could directly impact the bottom line. Should a regulatory body make it mandatory for all businesses to possess cyber insurance? If so, would that even be effective or would cyber insurance completely replace good security?
Your current liability policy may cover some cyber impact, but chances are you are underinsured and subject to strict parameters to even receive a payout when needed. In the case of Abbott, not only were flaws released publicly, but the timing was intentional to tank stock prices. Does your cyber insurance policy cover stock and revenue loss as well?
“Too many organizations today are substituting cyber insurance for security. These organizations often find out too late that insurers won’t pay when the insured fails to adopt industry standard security practices,” said Jake Williams, President and Founder of Rendition Infosec.
Rendition Infosec has assisted clients when navigating the idiosyncrasies of their cyber policy and kicker selections. We are frequently asked by our clients about proper coverage when choosing the best cyber policy features tailored to their business model and risk appetite.
Rendition InfoSec recommends that every business leader first appropriately assess risk through an industry best-standard framework. Understanding cyber risk now will increase effectiveness of your incident response processes and help to align your controls. If you choose to protect your business with a cyber insurance policy, know what you need to cover your risk acceptance and reassess your insurance needs as your attack surface widens. Lastly, never substitute cyber insurance for good information security.