Commvault Announced Acquisition of Clumio

// 28 Mar 2024

A different angle for World Backup Day: Are you actually meeting your cyber insurance requirements?

Jacob Berry
Jacob Berry, Field CISO
ShareTwitterfacebookLinkedin

Happy World Backup Day on March 31! This day is a reminder to slow down and think about the reality of your business resilience posture.

This year I want to take a different angle to evaluating backup readiness. I want to examine the crossover between backups, security incidents, and cyber incident liability insurance.

The challenge with cyber insurance today

There is a common problem brewing in the industry: Cyber insurance policy requirements are a moving target.

If you don’t hit the minimum requirements and security controls, you may have trouble taking out a policy, renewing the policy, or in the worst case have a claim denied with the policy holder citing negligence.

Insurance companies have been quick to point out reasons they won’t cover organizations. Turns out cyber incidents happen a lot, and broad liability coverage for any incident isn’t a winning business model for the insurance companies.

To explain this in simpler terms let’s look at an example from another type of insurance most people are familiar with: car insurance.

If there is a car accident and the root cause of the accident is DUI, illegal activities, or simply speeding, the damages claims against the policy may be denied as these are all negligent activities.

In cyber security what constitutes the equivalent of “speeding” Is more nuanced. Clearly if zero effort is put into cybersecurity – there is no program in place, the basic efforts of patching software and putting in fundamental controls (such as backup) are missing – this likely would lead an insurance company to claim a business is behaving negligently and can deny claims.

A deeper dive: What controls are required for cyber insurance today?

Finding guidance on cyber insurance can be tough. There are widespread articles with various levels of help, varying opinions from legal professionals, and legal proceedings are often hidden from the public. Most settlement disputes are handled through mediation instead of the court systems.

There are, however, some good examples that we can learn from. Here are two that are widely referenced.

Columbia Casualty Co. v. Cottage Health System

Summary: Columbia Casualty Co. provided Cottage Health System with a cyber insurance policy. Following a data breach that exposed patients’ medical records, Cottage Health sought coverage under this policy for the ensuing liabilities.

Issue: Columbia Casualty Co. sought to deny coverage based on an exclusion in the policy that pertained to failures in maintaining minimum required practices for the security of the data. The insurer argued that Cottage Health’s negligence in securing its data network constituted a failure to follow industry-standard cyber security practices, which was a condition for coverage under the policy.

Takeaways: If you don’t follow and maintain industry standards such as NIST CSF, ISO 27001, or SOC2, your carrier may deny coverage or claims.

Citations: casetext.com, insideprivacy.com

Travelers Property Casualty Company of America v. International Control Services Inc. Summary

Summary: Travelers issued a cyber insurance policy to ICS, an electronics manufacturing services company. Following a ransomware attack on ICS’s server, which lacked multi-factor authentication (MFA), Travelers sought a declaratory judgment and rescission of the policy, citing alleged material misrepresentations by ICS regarding the use of MFA across the enterprise.

Issue: The core issue revolved around the alleged misrepresentations made by ICS in its insurance application, specifically its claim of employing MFA, which Travelers claimed was crucial for their decision to issue the policy.

Takeaways: In this case it’s clear that consistent enablement of controls across the total environment is required to maintain material compliance with the insurance contract.

Citations: natlawreview.com

In both these cases, the insurance provider was seeking to deny claim payment based on a lack of security controls.

The legal debate on what constitutes reasonable minimum controls is still ongoing. On the other side of the issue is ensuring that the insurance providers are being reasonable. If you want to understand more about the doctrine that can be applied I recommend this article: Shouldn’t cyber-insurance cover negligence?

Here are my takeaways: Implementing fundamental controls, such as modern AV, 2FA, and immutable backups, saves money every time. If you don’t have controls in place your chance of breach increases, the chance of being sued for negligence increases, and it’s likely that you will not have a financial backstop in insurance.

Back to World Backup Day

So what does this have to do with World Backup Day?

Today should be used as a mental placeholder to pause and evaluate your backup readiness. The financial future of your business may rely on it. No one wants to be in the awkward position when they have a ransomware event and there wasn’t a backup, and your insurance claim is denied as well due to the lack of backups.

Ask yourself these questions today to make your audit process, insurance process, and incident response readiness easier:

  • Do I know where all my revenue critical data is on-premises and in the cloud?
  • Have I set an organizational standard for managing backups?
  • Do I know that my backups cover these data sources?
  • Have I tested the backups?
  • Can I easily prove compliance with my backup program goals?

Clumio

If you can’t answer these questions, or feel it’s time to revisit them, give us a shout. We don’t think about backups just today, we think about it everyday. Let our experts guide you to a more secure data resilience strategy that minimizes your exposure.

Jacob Berry

About the author

Jacob is Clumio’s Field CISO with a background in Cyber Security and Technology, focused on helping customers build secure cloud operating environments. He has extensive experience in offense and defense security, security operations, and working across multiple verticals in both private and public sectors.