Jack Gerbs

Cyber Insurance

While cyber insurance policies have been around since 1997, only recently have they become popular. Many companies have started offering cyber policies. Because of the explosive growth of this industry and the diversity in policy coverages, it can be difficult to understand what you are buying. While there are professional agents that have taken the time to understand cyber policies, there many more out there offering policies without understanding what the polices cover. I will be doing a webinar on this topic later this month, but here is a brief summary of some key areas.

Policies typically contain 4 to 5 sections. They are the declarations, insurance agreement, conditions, exclusions and definitions. Knowing what is covered is just as important as knowing what is not covered. I can share many sad stories of companies that had cyber insurance, thought they were covered, but were unable to collect.

To help understand coverage, or lack of coverage, here is a brief summary of one of those sad stories that happened here in the Miami Valley.

The owner of a small business had his email password compromised. The criminals continued to monitor his email account for a while. The criminals were able intercept an invoice that included wire instructions. The criminals modified the invoice and changed the account number for the wire transfer. The business typically pays their vendors via wire and everything looked like business as usual. The business paid (wired funds to the criminals account) the invoice as instructed.

The company didn’t learn of the issue until their vendor asked for payment because they had not received it. By this time, it was too late, the money was gone.

The company notified the police, and their insurance company. They were not covered for this incident because it was not considered a theft. The owner of the company authorized the payment to the criminal. The language of the policy was specific on what would be covered and not covered. Because this was an authorized payment, they were denied coverage.

I can’t stress this enough, when shopping for cyber insurance, ask lots of questions and make sure you understand your coverage. It is always best to work with a professional!

Quanexus IT Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Jack Gerbs in Cybersecurity, Information Security, Recent Posts

Preparing for the Unexpected and Risk Management

Risk ManagementHow Much is Enough? (COVID-19)

Our economy has been devastated by the COVID-19 Pandemic. What could businesses and individuals have done differently to be more prepared?

The risk management process typically includes:

  • Identifying threats
  • Classifying risk based on threats
  • Determine the likelihood of a threat occurrence
  • Determine impact of the threat

Two approaches can then be taken for managing risk: low water mark or high watermark. The low watermark model states that if any part of the classification is low, then very limited resources should be spent to protect against the risk. An example, the likelihood is low, but the impact is high, the overall risk rating should be treated as a low.

The high watermark model states that if any part of the classification is high, then appropriate resources should be spent to protect against the risk. Based on the low and high watermark models, companies also add an amount of subjective input into the equation.

The biggest challenge with risk management is limited budgets. With limited budgets, companies spend most of their resources and incident planning based on scenarios that are likely to occur. Examples of this include recovering from ransomware, recovering from and management of breaches, etc. It is easy to second guess any organization once an incident occurs. Sad examples of second guessing include:

  • How many ventilators are reasonable for a hospital or the government to stockpile?
  • How much personal protection equipment (PPE) is reasonable to stockpile?
  • When borders should be shut down and travel restricted?

What about personal responsibility? How much should individuals be responsible for? Is it reasonable to expect individuals to always have:

  • A 60-day supply of toilet paper?
  • A 60-day supply of hand sanitizer?
  • Protective masks?
  • How much savings is reasonable for every family?

From a personal perspective, three months ago some of this might have sounded silly, but not now. When it comes to risk management, businesses make decisions like individuals do. Decisions are based on the likelihood and impact of potential events and limited resources, budget and money.

To exacerbate things, our memories are short. It will be interesting to see what really changes over the next five years, if there are no further outbreaks.

Stay Safe!

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Jack Gerbs in Cybersecurity, Information Security, Small Business, Virtualization

IT Security and Risk Management

Jack talks through how we handle risk in the IT Industry.

 

Posted by Jack Gerbs in Cybersecurity, Information Security, Recent Posts, Small Business