How does a provider know they can rely on their insured’s preparedness in the event of a cybersecurity attack? How does the management team know to what extent they should have cybersecurity coverage? While a company’s IT department may be competent, to what extent should the provider rely on internal assessments for their clients?
It’s a well-known fact that the standard general liability insurance does not cover any damage or loss due to a cyber attack. Thus, many businesses render themselves vulnerable to the perils of one such attack. In a world that is increasingly connected through mobile and cloud technology, no business is completely secure from cyber risk. No matter your business, you buy services and materials from other businesses and connect them over the internet. Cyber attacks not only result in the loss of data, but also breach of third party data such as customers and vendor names and information, loss of reputation, interruption of business, and may attract litigation.
Insurers have come up with new insurance products under the category of cybersecurity insurance. These products offer scalability according to the size of the business and the type of information they may have. For example, a business that stores PHI (personal health information) would have a higher premium than a business such as a restaurant. None the less, cyber insurance will cost a few thousand dollars depending on the choice of coverage.
Obtaining effective cybersecurity insurance challenges both the insurer and the insured. The key issue is how to come up with premiums. National Association of Insurance Commissioners has recently addressed this issue and come up with proposed guidance that would allow the insurers to take into account an effective information security program in their premium determination. But how does the provider know that a program exists and it is effective? How does the insurer know that the program is substantive enough to address risks related to cybersecurity? The proposed standard requires management to implement and monitor an effective program that will not only be limited to an insured’s IT Department but also for those organizations which have Boards, determine the involvement of the Board in the management of this risk.
Neither the insurance company and their agents nor the Boards or senior management of organizations are technology experts dealing with the implementation and monitoring of a cybersecurity risk management program on a continuous basis. In such situations, management has to look for external expertise to review how its IT Department manages the cybersecurity risk. The credentials of an external expert become a critical consideration. The external services provider managing the preparedness should be someone that not only the management of the insured is confident about, but also on whose work the provider can take into account while determining premiums.
CPA firms capable of providing cybersecurity services can bridge the gap between the needs of the insured and the provider, and can independently evaluate the preparedness of management, outline the steps to remediate and provide an independent assessment. The providers then can rely on this information.
Withum’s Cybersecurity Services team is well equipped to provide such services through its talented team of professionals experienced in a variety of cybersecurity assessment engagements. Withum can assist both the insurance companies and the businesses that they are insuring with an objective assessment of their cybersecurity risk and implement effective programs that will mitigate this risk. This will provide a level of measurement to both insurance companies and the insured alike, changing the rules of the game as to how the premium for cyber insurance is determined. Withum can help management adopt the appropriate framework, address the gaps and present its report to the Board. Such comprehensive assessments may undoubtedly lead to cost savings on cyber insurance as the insurer have a credible third party independent assessment that they can rely upon and take into consideration.
To ensure compliance with U.S. Treasury rules, unless expressly stated otherwise, any U.S. tax advice contained in this communication is not intended or written to be used, and cannot be used, by the recipient for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code.