On-Demand Webinar:
The Impacts of Cyber Insurance on The DIB

1. Is there an insurance requirement in CMMC 2. If there was would this force companies compliance and put verification of compliance of CMMC on insurance companies reducing workload on government?

Bob: There is no insurance requirement in CMMC 2.0. As things stand, insurance companies cannot consider a CMMC assessment as demonstration or proof of adequate security – since the CMMC regulations are not final and CMMC C3PAO assessments have not started. It would be ill-advised, IMO, to force DIB suppliers to have insurance because many companies could not get it and therefore would be excluded from the DIB.

2. Under CMMC 2.0. Is there any requirement for cyber insurance? I noted at the last Town Hall with the AB that Matt. T. mentioned the requirement for C3PAOs and RPOs to have at least $1 mil in cyber liability insurance.

Bob: There is no requirement in CMMC 2.0. However, as a matter of business prudent liability insurance should be obtained by companies who provide cyber services or counseling, such as RPOs, or who are C3POs. I believe that such insurance would be for claims regarding the adequacy of their professional services, rather than to pay for cyber breach costs of their clients. The agreements between such service providers and their clients should include provisions to limit the liability of the service provider.

3. It appears that the insurance companies are raising the bar so high that it is going to price most MSPs out of the market. an analogy like with CMMC, if the DoD raise the bar so high that most small shops drop out, then there will be so few companies in the DIB to service the DoD

Bob: I don’t have knowledge of the availability of cyber insurance to MSPs. However, I can see that insurers would be wary of a MSP seeks coverage against the “third party loss” of the MSP’s client. That is why MSPs and other service providers should use contractual terms to exclude and/or limit their liability to such claims.

4. What do you consider the most compelling reason for cyber insurance? Pay a ransom? Legal support? Forensic support? Negotiations? All of the above? Seems execs get too near-sighted on payment of a ransom; but the other benefits seem to outweigh the payment.

Bob: The most compelling reason is to have a source of funds to pay for the many types of costs that result when a breach or ransomware attack occurs. These include both first party and third party costs. First party costs, otherwise incurred by the insured, include forensics, legal and supporting costs to deal with a ransomware attacker, payment of an amount demanded by the attacker (if allowed under applicable laws and permitted by the policy), system restoration, and business interruption costs. Third party claims include those which may be made by persons or companies whose data is compromised and can include claims arising from privacy obligations under state laws, GDPR claims, potentially, regulatory claims and penalties, and other forms of liability as may be claimed by third parties who assert injury. What is actually payable depends on the specifics of the insurance policy, and there will be withholds or retentions that the insured must pay itself before the coverage kicks in. Yes, costs in addition to the ransomware extortion payment can greatly exceed the amount of the ransomware itself.

5. How would you choose a more secure MSP to work with?

MSP Alliance Cyber Verify certification seems to be the only industry audit methodology https://mspalliance.com/cyber-verify/

6. How does increasing 3rd party liability (tort) affect cyber insurance coverage?

Bob: That depends upon the terms or nature of the 3d party liability (tort) coverage. Some such policies may exclude losses due to cyber events. I would not assume that cyber events are covered under such a policy unless this is evident from close reading of the policy. My sense is that the present practice is that cyber policies are written separately from general liability or other enterprise insurance.

7. Is there any DOD specific ransom data? As an industry, I have not seen data specific to this category.

Bob: I am not aware of any. It is a good question. However, as a general proposition, the “quality” of data on ransomware attacks is uncertain. Many companies decide not to report ransomware to anyone if there is no legal or contractual reason to do so.

8. Are there any known cases of breaches on insurance companies where a hacker gets policy amounts for clients and then target those clients for their published insured amounts?

Bob: I am not aware of any. But a sophisticated hacker, which performs reconnaissance on the target before the attack, definitely could know which business relationships (customers) are most important to the company it attacks. I have heard of instances where a customer is informed that their data has been hacked, increasing pressure on the attacked company to pay. What a hacker learns in an attack on one company certainly could inform its decisions about other companies to attack and what to demand.

9. Does / would cyber insurance cover both an incident (say stolen data) AND a GDPR suit? Or would that be two different insurance plans.

That depends on the terms of the policy. A policy can include both. If a US company has no EU information or business, its policy might exclude GDPR liability but include US privacy obligations such as notification of breach and identity protection.

10. Are you seeing any companies getting in trouble for not checking the denied parties/entity list when paying a ransom?

This is a different domain – but, yes, companies do face exposure, to the FinCEN and OFAC units of the Department of the Treasury, and possibly to the Department of Justice, if they pay or facilitate payment to an entity on the denied parties list. Companies are strongly advised to use available forensics and data intelligence services to avoid any payments to any entity on such list, and to report as required under the applicable regulations.

11. I'm seeing "insurance as a service" discussed recently - is this the future?

Bob: I’m not aware of this. For cyber insurance to be available, a carrier or underwriter must decide to extend coverage, under what terms, and enter into a contract of insurance with the particular enterprise to be covered.

12. Is there a repository of diligence questions used by carriers?

Bob: I am not aware of such a repository. What I’ve seen indicates considerable variety among questions and approach to cyber diligence.

13. Are you seeing any insurance discounts for any frameworks/certifications?

Bob: I am not aware of any. However, I would think that frameworks and certifications would make it more likely that a company could get insurance and should affect the premiums paid.

14. Any concern of brokers being impersonated to gather data? Since so much of the data is sensitive, should we be performing supplier risk assessments or is it enough to do standard diligence and just contact the provider directly to see if they are authorized.

Bob: it makes sense to do diligence on the broker and to carefully manage system access, and what information about networks and systems, is provided to a broker. They should be asked to demonstrate bone fides.

15. I have a client who says he is receiving more and more audit requests from clients, but many of the audits come directly from the auditor, not the client, so they are suspicious of the source. Any suggestions for handling auditors?

Bob: I don’t have knowledge of these circumstances. However, it is possible that client auditors will ask their audit clients questions about the cyber or supply chain security of key supply chain participants of the client.

16. Do we 'assume' that insurance companies are hiring certified auditors or how else would we (DiB) trust an insurance monitoring?

Bob: right now, there is no reason to “assume” that any cyber review by an insurance company is “qualified.” However, I have seen instances where the entity doing the cyber review is identified and where their credentials can be viewed.