Cyber Insurers? Are they part of the problem?

Do you think cyber insurers part of the problem with the growing ransomware issues we all face? For me, I think they certainly contribute to the problem.

A majority of you thankfully have not experienced a cyber event requiring you to notify your cyber insurer. That's a very good thing, I hope you never do. But should that time come where you have to make that fateful phone call for assistance, its going to be a whirlwind. It will be easy to get pushed around and bullied during the frantic nature of it all.

Don't get me wrong, I fully support having a "good" cyber insurance policy. Its a very good thing to have. Businesses shouldn't operate without it frankly but when is the last time you really read your policy? Not the lawyers but the technical folks AND the lawyers reviewing it and understand it together? Most haven't. Everyone is too busy. You selected a certain company because someone saw them present at a conference or like most of us, you went with the lowest bidder. Which is always a quality way to find issues.

What is your trigger or threshold to call your cyber insurer? I did a poll and out of 45 organizations, only a handful knew what their threshold was. Nor did they know what happens when they do call. During an incident isn't the time to learn that.

That's the point of this article, what happens then? To the cyber insurer, you're a loss. You've paid your premium and now they are trying to minimize their financial liability. They will do what is contractually required of them but rarely anything more. Its important you understand two key components here.

1. You're the victim.
2. You're the client.

I had a hospital CEO tell me after his organization's incident was over that he was their puppet and they told him prior to arrival that, "He would do everything they say". Frankly its a scare tactic because you don't want them to withhold any percentage of funds you may need but why was your contract written in such a way in the first place?

Want law enforcement help? No way, not allowed. Your cyber insurer wants nothing to do with them. Working with another organization that assists in cyber incident response? Nope, that's also not allowed. You'll work with their third party consultants only and no one else. Hopefully those consultants arrive at your location quickly but often times it can be a couple of days. Fingers crossed their incident responders aren't backed up with other incidents or you could be waiting longer. How about sharing IOCs (indicators of compromise)? Nope, that most definitely isn't happening.

Its not like I haven't seen this a dozen or more times, I have. And its pathetic. If you're ever hit with a significant cyber event that requires you to call your cyber insurer, you'll be wishing someone had shared IOCs with you. If they had, maybe you could have prevented what happened. Or law enforcement may have made an arrest or thrown some interference up so you weren't hit. Yet, here you stand, with no intelligence and your cyber insurer bullying you around because they don't allow you to share information. They don't want someone to second guess them, their actions, or decisions. Which is crazy because that's what everyone in IT/IS does anyways! Just call me Judgy McJudgerson. We're going to do it one way or another.

A couple of years ago I was contacted by a large organization that experienced a ransomware attack. We started scrambling to assist them when all of a sudden, they went radio silent. Wouldn't answer my calls, texts or emails. Weird right? Then the county administrator and emergency management director where they were located called the organization. They both had a personnel and professional relationship with the senior representative they spoke to and asked, "How can we help, what do you need". The senior representative replied, "What incident, we don't know what you're talking about". It was two days later that the local paper broke the news of the cyber breach. Unfortunately the damage was done and as an organization you're left repairing the broken relationships while the cyber insurer skips town. For what? How did that help by not telling two key people you have multiple relationships with, who wouldn't run out and blab to the media only to have you do it two days later? File that under how not to react to an incident 101. Many inept cyber lawyers over legalize cyber issues that are not real issues. They don't know any better so the theory of say nothing always to everyone takes over. That's wrong.

I could beat this drum for hours but I'll close with this. When you review or purchase a cyber insurance policy, make sure its written as much to your benefit as possible. If not, shop around. There are great cyber insurance companies out there. I hear of them from their clients often, but I hear more about the bad ones, plenty of those. Remember, you're the victim, you're the client and they are YOUR paid vendor. Allow law enforcement to investigate, if you have a partnership with other incident responders, let them come in, and make sure you share your IOCs. You don't have to slap your name and logo on anything but help others prevent the same type of incident. Start being apart of the solution and not apart of the problem.