The cyber liability insurance market is in turmoil. Insurers found themselves exposed to a significant increase in the volume and severity of ransomware attacks that they didn’t foresee. As a result, cyber insurers have experienced record losses. This has led to a hardening of the cyber liability insurance market where insurers are now providing less coverage and charging higher premiums. They’re also requiring businesses to provide more assurances that they have implemented cybersecurity best practices to appropriately defend against a cyberattack.
Insurers want their cyber liability policyholders to have basic cybersecurity best practices in place to mitigate their risk. This is where compliance come in. Compliance is anything someone else makes you do. Insurers are requiring their policy holders to comply with cybersecurity best practices to get a cyber liability insurance policy. Whether compliance is with the demands of insurers or compliance is with the demands of legislators – they all have something in common – they want you to comply we a set of cybersecurity best practices.
So, what are cybersecurity best practices? Well first, these best practices aren’t just something that someone at the FTC or an insurance company conjures up. Instead, insurers and legislators look to cybersecurity best practice frameworks for guidance. These frameworks are put together by respected organizations like the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS).
The fact that there are established, and well-known cybersecurity best practices is great news for dealerships. By following an established cybersecurity best practice framework, you will then comply with the demands of both local and federal legislators as well as with the requirements of cyber liability insurance providers. And, most importantly, you’ll be able to sleep better knowing that you’ve implemented a set of practices that will protect your dealership’s finances, systems, and reputation from the cybercriminal.
It is important to note however, that compliance is more than simply having all the right things in place. Compliance also has to do with how your specific implementation aligns with the best practice framework – today and tomorrow. For example, an insurance company is suing a policy holder who told them that they had implemented multi-factor authentication (MFA). Using MFA is a cybersecurity best practice. But the reality is that the policyholder only implemented MFA a little. They had MFA in place to protect their firewalls but didn’t have it in place for administrative and privileged access. The policy holder then suffered 2 ransomware incidents. It turns out that the cybercriminals gained access to the policy holder’s network via a compromised admin account. The insurance company – rightfully – refused to pay.
Compliance requires the proper implementation of cybersecurity best practices, and this implementation is NOT static. For example, promptly applying new security patches to your systems is a cybersecurity best practice. If today, you are up to date with your security patching, but a new patch comes out tomorrow and you fail to apply the patch then you have fallen out of compliance. The hard truth that dealerships need to come to grips with is that without the appropriate implementation and ongoing management of cybersecurity best practices your dealership will fail to comply with federal and state cybersecurity requirements and the ability of your dealership to secure cyber liability insurance is going to become increasingly difficult and expensive. But even worst, failing to appropriately implement cybersecurity best practice leaves you vulnerable to the cybercriminal.