I received my new business insurance policy. I'm not sure why I look through these things except to keep an eye out for things that don't make sense. I say I don't know, because I fully admit that I've never really figured out insurance terminology.
In my opinion, if you need an example of industry-specific terminology, insurance is a great place to start. Maybe insurance sales people say the same thing about technology. I understand every single word I read - until I read them in a sentence in my insurance policy.
Anyway . . . I'm thumbing through this fat document and I find the page printed here:
Here's what's going on here. First, this notice is information only, not part of cybersecurity insurance or even the business property insurance to which it is attached. Second, my insurance provider wants me to educate myself about data breach, identity "theft," and the laws in California related to those things.
Third, this is a self-help portal for information. But, fourth, there's a phone number I can call to help me with both breach preparedness and breach response.
I've heard lots of smart people (including Mike Semel of Semel Consulting) point out that you should be looking to insurance companies for leadership. They've been hit by ransomware where it hurts: their wallet! And they've responded. One response, obviously, is to raise everyone's rates. Another is help to minimize the problems that can lead to payouts.
Note, also: You and your clients have some serious responsibilities if you want to get a payout after a data breach. If you don't know what's required, you probably don't have a checklist to make sure you're insured.
In this case, I'm dealing with Nationwide Commercial Insurance. Once I logged into the site, I found a treasure trove of free services, including:
- Pre-Incident Legal Consulting (one hour). There is a list of topics that can be discussed, including risk assessment, incident response planning, and development of related policies and procedures.
- Cybersecurity Risk Consulting (one hour). Plus discounted rates on services. These services include security audits, vulnerability assessments, and penetration testing.
I know an hour doesn't go far, but it's a start!
The site also includes an "Incident Roadmap" that can be used as a starter for building your own incident response. And there are sections for news, legal updates, risk assessment tools, and more. There's also some good training from some brand names you've seen before.
Two lessons from this excursion into my insurance policy:
1) Thumb through your policies and see what services you might have available to you for the money you're already paying. And if you're not willing to do that, call your agent and ask them to go fishing for it.
2) If you've been putting off "dealing" with the cybersecurity threats to your business as well as your clients, it's really time to dig in. At least protect your company, your data, and your butt.