Cybersecurity Insurance: Consider Your Options

As a cybersecurity professional, I’m often asked by clients if they should buy cybersecurity insurance. My answer is “definitely,” but not without considerations. For one, you should determine the value of what you are trying to protect. And when evaluating a policy, ensure that you are clear on exactly what the policy covers—and maybe more importantly, what it doesn’t.

Cybersecurity insurance policies come in many forms, from a “quick” cyber policy, where applying requires you only to answer three or four questions, to a full-length application policy. The protection level and policy costs vary accordingly; quick policies may include multiple coverage exclusions or costly gaps. For example, lack of applying security patches may trigger an exclusion pertaining to your coverage. If you implement a recognized cybersecurity control framework, you will likely be able to find policies with more coverage at lower costs. This could also help lower your probability of later being denied coverage under your cyber insurance policy by inadvertently answering a crucial application question incorrectly.

A follow-up question I often get: Can I mitigate my business’s cyber-risk through a cyber policy, or should I implement cybersecurity controls to improve my cybersecurity posture?

I posed the question to Joseph Brunsman, author of multiple published cyber insurance articles, and a book on cyber insurance, he stated, "Cyber insurance is a crucial component - but arguably the last component - in the defensive posture of business. I would prefer, as would the regulators who can bring sizable fines and consent orders, cyber insurers, and attorneys who specialize in post-breach litigation, that businesses do everything in their power to avoid a breach. After that first breach occurs, insurance companies begin to take a hard look at internal cybersecurity postures. Increasingly insurers are demanding specific controls be implemented as a prerequisite to coverage. If businesses fail to adopt the correct posture, they could quickly find themselves with no recourse but to pay for every breach out of pocket. Taken as a whole, businesses need to consider their cybersecurity posture now; while it's convenient, and before it's mandatory."

HBK Risk Advisory Services can help develop and implement a cybersecurity program that fits your organization’s risk appetite and budget. Our assessment will offer a road map for continual improvement through cost-effective solutions. Call us at 330-758-8613, or email me at wheaven@hbkcpa.com for more information or to schedule an assessment. As always, we’re happy to answer your questions and discuss your concerns.
About the Author(s)
Bill is a Senior Manager in HBK’s Risk Advisory Services and works out of the firm’s corporate office in Youngstown, Ohio. He specializes in cyber security, IT security, external IT audit, internal IT audit, IT consulting, software Development, IT governance, PCI-DSS, supply chain, system implementations and e-Commerce and has worked for a wide range of industries, including the Public Accounting field. Bill is a certified public accountant, a certified information system auditor, and a certified supply chain professional.
Hill, Barth & King LLC has prepared this material for informational purposes only. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or under any state or local tax law or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. Please do not hesitate to contact us if you have any questions regarding the matter.

RECOMMENDED ARTICLES