By Asher de Metz
When you read about the legal battle between food manufacturer Mondelez and its insurer, Zurich American Insurance, it really makes you stop and think, “What is the point of cyber insurance?”
Back in June 2017, Mondelez was among the international corporations hamstrung by the NotPetya ransomware. The attack took out 1,700 of the company’s servers, 24,000 laptops and left it with over $100 million in damages.
Mondelez filed a claim with Zurich, citing the policy covers loss brought about by the “malicious introduction of machine code or instruction.”
In June 2018, after the White House had attributed the attack to Russia’s continued attempt to destabilize Ukraine, Zurich rejected the claim based on an exclusion in the policy that says it doesn’t cover loss stemming from “hostile or warlike action in time of peace or war … by any government or sovereign power, military, naval or air force, or agent or authority of any party specified above.”
Mondelez responded by suing Zurich for $100 million.
This leads us back to our original question – what is the point of cyber insurance? The answer is actually quite simple: Cyber insurance is important, but you should also do everything in your power to avoid ever filing a claim. Here’s what every company should do before buying cyber insurance.
Security first, then cyber insurance
Do not become disillusioned because of what’s happening between Mondelez and Zurich. Having cyber insurance could make the difference between a small company going belly up after an attack and living to fight another day. Cyber insurance is about protecting a company from a major loss. That cannot be overlooked.
However, just because cyber insurance is essential, doesn’t mean it should be your first or only line of defense. Instead of focusing on the potential financial implications of a cyberattack, turn your attention to the steps you need to take to prevent an attack to begin with.
Focus on basic security measures
Mondelez is just one global organization caught unaware by ransomware. Merck, Maersk, FedEx, and even England’s National Health Service (NHS) are just a few of the companies that have been hobbled by WannaCry, NotPetya, and other ransomware. Yet defeating ransomware is relatively simple if the right systems are in place.
Before you become the next victim, take care of basic security measures by doing the following:
- Lock your windows and doors – Ingress filtering prevents your internal network from being accessed from the internet and attacked. Egress filtering secures data traveling outside your network. Both are absolute musts.
- Patch all systems, keep all security software up-to-date – Make sure each and every one of your systems is equipped with the latest patches ASAP. It only takes one opening for your entire network to be vulnerable.
- Strong passwords and multi-factor authentication (MFA) – You need to take passwords seriously. Your employees need to take passwords seriously. Don’t reuse passwords, and also make multi-factor authentication mandatory.
- Education and response planning – Consistently educate yourself and your employees so you don’t fall victim to phishing emails. Be aware of potential security risks. Your resilience program needs to include a response plan. Make sure everyone knows what to do if you’re attacked.
- Network segmentation – Keep your internal systems segmented. Physically air gap your critical systems from outside connections. This cannot be emphasized enough. If your backups are connected to the rest of your network, they’ll be infected too, and you can’t quickly recover infected devices.
- Backups and testing – Maintain clean backups that you can quickly and easily restore. Have a plan in place and test it regularly. Backups and other security measures are well and good, but they won’t matter if they don’t work.
Better safe than sorry
There’s nothing wrong with getting cyber insurance. In fact, it’s probably a good idea. Make sure you know exactly what’s in your policy, play close attention to the fine print and be thorough and diligent while examining all documentation. But before taking that measure, turn your attention to the most important precaution of all: basic security.
If you don’t make sure that all your “windows and doors” are properly locked, insurance won’t matter. Remember, there’s no reason to risk putting your fate in someone else’s hands when you have the power to prevent disaster from the start.