Sometime during my sophomore year at Marquette University, in between classic college trips to the dining hall and walking down to throw a Frisbee around by the lake, I made the decision to add a philosophy major to my degree.
“Who wouldn’t want to hire a double-major in theology & philosophy?”
Turns out, not a lot of businesses were hiring resident philosophers when I graduated in 2010.
I know. I was shocked too.
But what initially drew me to philosophy echoes in my work today: the idea of paradox, or how to reconcile two true premises in one contradictory idea. The paradox of free will, the problem of evil, the omnipotence paradox; these are just the sorts of things that got my mind racing. The Pinocchio Paradox is a favorite: if Pinocchio says, “My nose will grow now”, what happens? If it grows, that means he told a lie. But if it grows, that proves his statement was true, and thus could not have been a lie, so his nose should not have grown.
But back to business. You didn’t click a link to read stories about a lying Italian puppet. Last week, I was speaking to a crowd at the 2019 MSP Safepoint Security Expo, alongside the infosec mastermind Ryan Cloutier. Our joint session was about pairing cyber security & cyber insurance solutions to help keep budgets under control. As we talked, a new paradox began to creep into my head: what’s great for a company’s cyber security policy is bad for a company’s cyber insurance policy.
Ryan was making great points about having a dedicated security professional on staff, patching & maintaining your systems on a regular schedule, crafting and testing your cyber incident response plan, enforcing strong password guidelines, encrypting mobile devices, and more. These are all highly recommended practices that, if implemented, will reduce your likelihood of being breached and will reduce the cost-impact of a breach should one occur. All of the cyber security best-practices that Ryan was talking about are things I want my clients doing, but I don’t want any of these practices shown as conditions in their cyber insurance policy.
An insurance policy is a conditional contract, meaning that the insurance agreement only applies if both parties have met the conditions laid out in the contract. So it makes sense that a cyber insurer might choose to take these security practices and codify them as conditions of your insurance contract, right? That’s exactly the step that many carriers have chosen. Examples of limiting language you can find in some cyber insurance policies include: due-diligence conditions (you must perform cyber risk due-diligence of your vendors), exclusions for failure to maintain systems (though, thankfully this seems to be fading away), exclusions for theft of unencrypted laptops, exclusions for failure to enact a callback procedure during a social-engineering attack, and more.
And here’s where we get to the crux of the matter: if the policyholder doesn’t perform these tasks, they haven’t met the conditions of the policy, and coverage could be denied if a claim arises. But when you think about it, the claim might never have happened if the policyholder had these security practices in place and if all security practices worked perfectly.
Insurance should be there for when things go wrong, for when they go haywire, for when the unexpected happens and for when your best-laid plans get thrown out of the window. One of the best ways to make sure that happens is to work with an agent who can identify harmful conditions & exclusions in a policy and negotiate to have them removed (or place your business with a carrier who doesn’t have the same limiting language to begin with).
I want you all to employ cyber security best practices, such as those found in the NIST framework or the CIS Critical Security Controls. They will make you more secure. But I do not want your insurance policy to mandate that you do use them, because in the real world, things don’t always go according to plan and that’s when you need insurance the most.
The Cyber Work Group at Hausmann-Johnson Insurance has identified carriers that have this limiting language in their policies. And while there may be a business reason to go with such a carrier (i.e. you’re willing to accept the condition in exchange a reduced premium cost), you need to know what conditions & exclusions your policy has.
Contact your consultant at Hausmann-Johnson Insurance for more details about what your policy says and what it means for your business.
Also, sign up for my webinar "Cyber Security Concepts for the C-Suite" to learn the latest from the cyber risk experts.