A Series of Unfortunate
Events: IT Edition

When we hear someone say they decided against cyber insurance, my first thought is that they either do not fully understand their risk, maybe they’re just cheap, or they may have already experienced an incident and now consider themselves uninsurable. None of these is positive.

This is a weak argument. Imagine telling your customers that you decided against any sort of insurance. Most customers want to know that the vendors are doing everything possible to protect them.

We understand the logic of pushing all liability to your cloud application. However, in cloud services, the term “shared responsibility” applies, which means that responsibility is literally shared between the service provider and the data owner.

With cloud services, the data owner is not the service provider but the customer. Because the customer owns the data, the customer is responsible for protecting it. Protecting the data includes all aspects of data access, multi-factor authentication, and implementing all the other safeguards you would include if the software were on your own server in your office.

So in the case of trying to push liability to the cloud service provider, our response is that while it is a good effort, the principle of shared responsibility has already been clearly defined and established.

Of course they are, but responsibility for protecting the data in applications is threefold: shared responsibility, data ownership, and who is ultimately responsible for protecting the data within an organization.

Shared responsibility is covered in depth, and you can read more about it at the link below. Link You will see that while the infrastructure delivering the application is the responsibility of the service provider, protecting the data is the responsibility of the client. There is also some overlap between these areas.

Data ownership is typically defined in the terms of service. For every service provider, you need to read the agreement carefully to determine who owns the data. While service providers may want to use the data, I highly doubt they will claim ownership of the data

Lastly, the person responsible for data protection within an organization depends on its structure. What is interesting about this is that in the end it is not IT. It is not the help desk, or the receptionist, or the office manager. This role is either the chairman, the CEO period. Ultimately, responsibility falls to the chairman, the CEO, or, if designated, the CIO. [Insert Link]

Please refer to the last two sections.

Well, shoot. What do we do now?

This topic is far too involved to discuss here, but it’s something you should ideally consider before it happens. What would you do if your most important application was compromised? What would you do if your most important application is down and not available?

This is a good question. After any incident, no matter the size, you really need to revisit what caused the problem and evaluate what could have been changed. This is typically called tabletop exercises when done before an incident. Even in a post mortem situation, which is referred to after the incident, it is good to review and decide what you want to change, if anything.

First, cyber insurance is important. Consider not only the reputation of the insurance company, but also the agent selling the policy. Selling a cyber insurance policy while claiming no knowledge of what it covers seems like a red flag. Ideally, the process of selling a policy involves explaining what the policy covers, what it does not cover, and making some good recommendations to reduce risk, and make sure the insured is protected. If that can’t happen, then how do you know what you are purchasing?

Second, you need to carefully think about the potential cost of an incident and how that compares to the coverage in your policy. Cyber insurance policies often include both a per incident limit and an aggregate dollar amount. In some cases, the total coverage is nowhere near the estimated $130-170 per record cost of an incident. So, how much insurance is enough?

Overall, we do recommend cyber insurance, though the details will vary by organization. Anything is better than nothing, but determining the specifics of the policy should be a decision made carefully by the stakeholders.