If you are in the Cybersecurity or Compliance industry long enough you’ll likely encounter an Executive who would prefer to just “fix” what happened and not disclose, report, or notify affected parties of a data breach. It’s difficult to understand their rationale, especially if it involves regulated data that requires reporting. However, if breaking the law, being non-compliant, and ethics aren’t enough to persuade the organization to do the right thing maybe there is one more approach that moves the needle.
The pocketbook, namely as it relates to cyber insurance. Money talks right?
This excellent video by Joseph Brunsman goes into detail of some of the potential negative outcomes. It’s 13 minutes, watch it and take notes.
- Scenario 1: If regulators do find out and begin investigating you then your Cyber Policy very likely has exclusions regarding intentional acts and certainly of criminal acts.
- Scenario 2: What happens when your policy is up for renewal next year? Every cyber application I’ve encountered asks if you have had a security incident or data breach in the past X year(s). Are you going to continue to lie? That is an excellent tactic if your goal is to clearly commit fraud, void your contract, and forgo payout.
PS: I just discovered Mr. Brunsman but I’m glad to find someone with expertise sharing their insights. I downloaded his eBook, “Damage Control” to see what he said about Cyber Applications and after reading it I wanted to call him and say thank-you. For context, I’ve long recommended that organizations include an independent attestation that details the implementation of their controls, policies, and procedures. To quote Brunsman,
As a practical matter, applications may only provide space for a yes or no answer, while others will ask for lengthy explanations. If the business is ever in doubt as to the answer or there is not a definitive answer to the question posed, consider an addendum of explanation(s) provided to the underwriter. There is no need to be bashful and risk a potential denial of coverage… As a further word of warning concerning the application, businesses should understand that they are making representations that form the basis of a contract –the insurance policy. These representations may be held against them by the insurer following a breach.Brunsman, J. (2020). Cyber Insurance Applications. In Damage Control: Cyber Insurance and Compliance (pp. 263–263). story, Chesapeake Professional Liability Brokers.
Photo by Kristina Flour on Unsplash