Do you know what your cyber insurance policy covers? Beware! If something happens, you’ll want to be sure your insurance policy covers your business. In my experience, it can be extremely expensive and severely business-affecting (if not business-ending) if your company is hacked and your policy doesn’t include protection against damage and business loss caused by sophisticated “hack your human beings” scams using social engineering tactics.
I’ve seen it too many times: phishing and scam emails sent to CEOs, COOs, finance and HR people in organizations, followed by sophisticated follow-up social engineering phone calls, wire transfer scams, and spyware or malware crypto locker type attacks.
From an IT perspective, you need a good technology company who has your back. Trust me, it’s worth it. Navigating the landscape of insurance, security, and IT is more confusing than ever. Insurers and underwriters are asking a lot of questions – most of them relevant – but many of them confusing and irrelevant. It’s important to not only complete these forms correctly, but to actually have the proper security protocols and protections in place in your IT infrastructure.
Last week, another example of this came up in Canada, where a legal case appeared in Canadian Underwriter asking insurance brokers to make sure their customers were covered for social engineering fraud.
This particular insurer denied coverage for a $224,000 claim because the company’s end-users were duped by a social engineering scam.
Editor Greg Meckback notes:
Brokers should not assume that a client who has bought a cyber or crime policy is covered for the risk of innocent employees who are duped into making fraudulent money transfers.
Check your cyber coverage and be sure that you have the proper endorsements available to you. Endorsements are available for covering social engineering fraud, but brokers will need to inquire about them, lawyers warn. Some social engineering schemes may not be covered as part of a standard crime policy for ‘Funds Transfer Fraud.’
If your IT company is not including some sort of ongoing security and compliance training, they should be. If they can’t, then you should find one who can. Gone are the days of configure it and leave it (you need onboing network and IT management), and gone are the days of the solo IT guy being able to handle all of your security needs (trust me, they simply cannot…there is too much to pay attention to).