RCR 010: Cybersecurity Insurance - CISSP Study and Training!
Oct 08, 2018Description:
Shon Gerber from ShonGerber.com reveals to you the steps each week the information you need to best protect your business and reduce your company’s cyber risk. Shon provides cybersecurity for business training and how you can begin to address the cyber risk for your daily business.
In this episode (Part 8), Shon will go over the basics around cybersecurity insurance and what you should consider for your business. This training is important for all companies, but more especially suited for Small and Medium-sized businesses.
Transcript:
To meet your regulatory requirements while helping keep the evil hacker hoarded Bay hi my name is Sean Gerber and I'm your host for this action packed and forwarded podcast join me each week cuz I provide the information you need to best protect your business and reduce your company cyber risk okay this episode where are we talking about cyber insurance so this is something you need to consider as you have a business and as you deal with cyber security in your business is it really important to have now I'm going to talk about the key points to consider as you're looking at Cyber insurance for your business but also need to consider as well as that as we get more and more companies are getting this cyber Insurance bit more of a challenge with these insurance companies cuz in the past they been making money hand-over-fist in this space and so now it's looking like well there's more claims that are happening there going to be a little tighter on what they do is kind of what I'm getting from a sense of what I'm seeing in the market so there's some key points out here and they're going to basically transfer transfer to any business that you have however one thing to consider is that as this the time of releasing of this video a lot of stuff is beat is probably be changing so in the next 24 to 48 months we're going to see very large change in the especially as we get more more threats that are affecting companies disclaimer you got to have it I got to have insurance but in the case of company sometimes companies don't want to have cyber Insurance within their company cuz I think it's just it's not necessary but in today's world really something you have to consider and getting for your business because one breach and if you don't have this at a minimum it's almost an entry steaks we were playing this poker game right but in so many cases you get one bad breach and you're out of business so you may work your whole life to have a business and in just a short period of time it's gone so considers to having cyber security insurance as we go through these things now what is the definition of it Insurance product used to protect businesses and individual internet-based wrist and more information technology infrastructure and activities lots of big words really confusing so somebody click on a leg so we can access your system pilfering all of your data and shipping it all out to wherever right so basically when this began is back in the 1990's and they talked about digital cashing and realistically it remain a ditch until about 2005 and now as we've been getting more and more audits there I should say more regular requirements around this it's becoming a bigger and bigger issue and if a business is smart they use from mitigating risk what you typically we will look at it is to have Protections in place to mitigate the risk or do I transfer the risk in this case here you would transfer the risk and they using Insurance product to do that so you have a couple different kinds of risks you have a 1st party which is basically lost or damaged of your own specific data whatever I be but that's first party risk if it's just your data then I guess that's good right so then you just lose your date and not somebody else's but you're still off your data so the insurance is to help mitigate that issues also built into the insurance if you have no response process and so forth is built into this as well now kind of rare right so do you have a business it's extremely rare that your business is only your data and many many cases you have other kinds of business data that may not be yours and maybe a vendor's could be your customers but in reality it's very rare that it's just your data specifically just for your company you make widget and widget produces are you manufactured and you create this thing which is your own heart rate I'm good if you don't have any other data in there to get no vendors plug-in and you got no customer data in there it's just you from beginning to end then that's first party risk and you're good to go get breached meltdown not affecting other people however you got third party risk which is liability to clients governmental regulatory entities I have sap was hacked I seen in situations where the sap was hacked and if that gets hacked you know have gobs of data in sap because what is sap sap is basically the brains of your system they call trp which I don't know what the acronym is means CRP trains that has all of your stuff so if you have customer date in there yet shipping data in there you got free data it's it that gets hacked you got all kinds of issues right What would most our policies offer a combination of traditional liability coverage of somebody runs into you right they have cyber security coverage as well so you have all of these things that are built into this there's also privacy liability coverage now this thing here is when you have your data and it's kind of the HIPAA aspects of it as well your date is privacy so you have individuals that got I've got this big huge cyst on the back of my head and I don't want anybody else to know about it kind of data right that's pii personally identifiable information you are the only person in the world that has a cyst the size of a softball in the back of your head well that is dependent upon the state case of Assisi Massachusetts Massachusetts has very strict PIR privacy data requirements whereas maybe somewhere like my men Kansas stringent of a requirement around privacy data it will vary it also will vary from Providence or County even in some cases kind of different countries for sure right yet GPR you got China you got other countries as well and a viet-nomz putting something out right now that's like going to totally just shut down the internet more or less so it varies right from country to Country localities cities states and so far the one thing that avoid language that states you are not covered if failure to protect confidential information regardless of cause you want to avoid that kind of language because bottom line is that says right then and there isn't a few failure to protect any confidential information regardless of the cause play those kind of languages if you see that in your contract I got my data in there and will end up happening is is they but they have policy you say you're covered for that but they won't go ahead and pay until it's actually a formal suit has been filed for the coverage right there are some civil fines and penalties can be included in the coverage of but they have certain cap limits on how much they're going to be so you have different regulatory requirements so let's just go for an example the FEC are the SEC so security Exchange Commission so the SEC can go ahead and find you for something and save your financial ripe but then also depending upon how the data was transferred the FEC the no communication people ffff too many acronyms but basically you know they can you connect multiple government entities connections to you for the same thing so that's something else to consider right but being mindful if insurance company seeks to exclude this covered so they look to exclude the penalties and fines keep that in mind especially if you are dealing with a government agency so something to consider on that notification cost now there's costs associated when you notify people so you been breached you got to go send out press releases you got it the customers you got to let everybody know you got to have a call center setup so people call in so all of that Public Relations phone Banks advertising you name it it's all got to be there for someone to get breached and those are notification cost why is this an important situation it's becoming a cybersecurity becoming a priority for many third parties and they have writers that are become a requirement on many new contracts that are being set up company is self-insured you don't have to worry about it I have to deal with an example of got as a Target breach now in Target the company that was as all the clothes in the food I like I said the Target brand the big red bull's-eye the dog thing it was almost $800 when it's all said and done is what it cost and that includes what was lost and revenue what was cost to remediate what was class cost in reputational issues but they're saying excessive 800 billion dollars what cost a company the key thing is you need to consider cyber security Insurance especially if you're a small to medium-sized business because in reality you can't you can't absorb at a big Target they can absorb it but even a billion dollars that's a lot to absorb I a big company so somebody can sit around that what states consider is that you need to really consider the possibility to help you reduce the Jasmine if breed so in the case of cyber security insurance so let's just say you go out and you do something you have your networking place and you don't do a good job of securing your network well that's going to happen is is now the judge is going to come back after you have you done the things you should do you still have cyber security Insurance that's going to help you and in many cases the insurance companies are going to require you to do some level of security assessment to prove that you have a solid secure network they may even ask you that depends on how much Insurance you're going to get but the only thing is is that if you go to a judge let's just say there is a wrongful you did something you shouldn't be doing and they're coming after your business with money well if they see and you go talk to the judge and and you're going through all of these things with the court and you say what you know what I've done this security thing I've got the same place I got these Protections in place I've got all these policies in place and on top of that I have a security cyber security Insurance to help in the event that there's things that I may have missed that's going to go much better for you potentially then just going to it berries in this area but the main thing here is is that you need to consider for your business because if you don't odds are high you're going to end up running into Chuck trouble as time goes on alright check me out of other issues weather for you and if there's anything else we can do let me know
CISSP Cyber Training Academy Program!
Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification?
Let CISSP Cyber Training help you pass the CISSP Test the first time!