Essential Homework Before Shopping For Cyber Insurance

An executive at cybersecurity hardware company Yubico boils it down to six questions that companies should answer for themselves before they settle in for negotiations with a potential carrier. Two of them look to the company’s own systems: What are the carrier’s minimum security requirements, and how fast can we bring the company up to speed? “Of course,” he says, “it’s in the insurer’s interest to find any glaring weak links in an organization’s armor.”

The writer, who formerly headed Yubico’s Australian and New Zealand operations, says those minimum requirements will likely mirror what the Australian Cyber Security Center calls “The Essential Eight,” a detailed cybersecurity guide that comes with the imprimatur of the Australian Government and the Australian Signals Directorate. Pay particular attention, the writer says, to what kinds of vulnerabilities might have crept into your system as the result of the pandemic and more work being done from home, and how to address those vulnerabilities.

Two of his suggested questions relate to the carrier and the policy itself, as a kind of reverse due diligence. “It’s no secret,” he says, “that insurance companies stay in business by NOT paying out when they don’t have to or by keeping their payouts low.” Insurance companies, he notes, are increasingly trying to limit their losses by breaking up potential losses into discrete categories, e.g., losses due to downtime, systems replacement, and identity protection for affected customers. “That makes policies more complex, requiring brokers to shop around for reinsurers to spread the risk,” he says.

The writer is currently a vice president at Palo-Alto based Yubico’s Asia Pacific and Japan division. The company is described on its website as inventor of “strong authentication for the modern web.” One of its products is an electronic key that looks like an elaborated thumb drive, and is said to be used by companies including Microsoft, Amazon, Google and Facebook, as well as individual users.