Questions to ask when considering a cyber insurance policy for your business

In our experience as treasury management advisors, which includes helping businesses ensure adequate and appropriate fraud controls, we’ve seen some scary fraud attempts. We suggest to all business owners to ask an experienced banker about his or her exposure to fraud cases over the years. We hope you’ll be scared, too, because by understanding the all-too-real risks to your business, you can help prevent fraud.

Prevention is absolutely the most important thing to focus on. Consider this conclusion from Certified Fraud Examiners in a 2016 report issued by the Association of Certified Fraud Examiners (AFCE): “Small organizations had a significantly lower implementation rate of anti-fraud controls than large organizations. This gap in fraud prevention and detection coverage leaves small organizations extremely susceptible to frauds that can cause significant damage to their limited resources.”

Our message is always to work toward strengthening and maintaining your approach to fraud prevention.

Then, secondarily, you may also wish to contact an insurance professional to discuss whether a cyber insurance policy may be a fit for your business. We have personally seen a few examples where such policies recouped their costs after instances of fraud.

From our perspective in treasury management, we offer several questions you may like to discuss with an insurance professional if you are exploring a cyber insurance policy for your business:

• Does the insurance company offer one or more types of cyber insurance policies, or is the coverage simply an extension to an existing policy? In most cases, a standalone policy is best and more comprehensive. Also find out if the policy is customizable to an organization.
• What are the deductibles? Be sure to compare deductibles closely among insurers, just like you do with health, vehicle, and facility policies.
• How do coverage and limits apply to both first and third parties? For example, does the policy cover third-party service providers? On that note, find out if your service providers have cyber insurance and how it affects your agreement.
• Does the policy cover any attack to which an organization falls victim or only targeted attacks against that organization in particular?
• Does the policy cover non-malicious actions taken by an employee? This is part of the errors and omissions (E&O) coverage that applies to cyber insurance, as well.
• Does the policy cover social engineering, as well as network attacks? Social engineering plays a role in all kinds of attacks, including phishing, spear phishing, and advanced persistent threats (APTs).
• Because APTs take place over time, which can be months to years, does the policy include time frames within which coverage applies?

We’d like to suggest that while you keep these important questions in mind, you also make sure to pay equal or more attention to establishing and maintaining antifraud controls to reduce your organization’s vulnerability.

In particular, you need to minimize risks created by malware, as well as phishing, in which hackers attempt to access passwords and other sensitive information that can give them access to your electronic systems. To reduce these vulnerabilities:

• Dedicate separate computers for internet browsing and online banking access.
• On computers used for banking, block plugins and popups.
• Keep your software up to date.
• Change employee passwords frequently.
• Use Positive Pay (an electronic system for comparing cleared items with a file of known issues) and ACH debit filters and blocks to identify suspicious transactions.
• Reconcile your accounts daily online.

Finally, be sure to talk to your bankers and insurance professionals about their experiences with fraud cases. As we said above, we hope you’ll be a bit frightened by what you hear because electronic fraud is all too common and damaging.