Cyber Insurance Will Not Save You. Five Things You Need In Place Before Your Carrier Will Pay Out

The dental office I described in last week's HIPAA Security Briefing did not have cyber liability insurance. Most small medical and dental practices do not. The ones that do have a policy often discover, in the middle of a breach, that the carrier has more reasons to deny the claim than to pay it.

Cyber insurance is not a substitute for the controls. It is a backstop on top of the controls. Carriers underwrite based on what is in place, and they pay out based on what was in place at the moment of the breach, not what the policy summary said you bought.

Here are the five things your carrier will check before paying a claim, and what each one means in practice for a small business.

One: Multi-factor authentication on every administrator account

Every cyber liability application asks the question. Most applications now require it as a condition of the policy. The carriers learned, painfully, between 2020 and 2023, that the single biggest predictor of a payable ransomware claim was MFA on admin accounts.

If your application said yes and the breach happened because an administrator's password was stolen and there was no MFA on the admin account, the carrier has grounds to deny under the application warranty.

This is not theoretical. There is a published 2022 case, Travelers v. ICS, where a carrier rescinded a policy after a ransomware breach because the insured had answered yes to the MFA question on the application but had not deployed MFA on all admin accounts. The court agreed with the carrier.

What this means for you. If you tell the carrier you have MFA on admin accounts, you must have it on every administrator account in every system that touches sensitive data. Not most. Every. The first thing the forensics firm does after a breach is enumerate which accounts had MFA at the time of compromise. If any privileged account was missing it, the claim path narrows.

Two: Endpoint detection and response on every endpoint that touches business data

Carriers ask whether you have endpoint detection and response, often abbreviated EDR. They are not asking whether you have antivirus. Antivirus and EDR are different products. EDR is what catches the post-exploit lateral movement that antivirus misses. The major carriers now require it on every endpoint as a condition of full coverage.

What this means for you. If you say yes on the application, you must have EDR on every laptop, every desktop, and every server that touches business or patient data. The carrier will ask the forensics firm whether the endpoint that was breached had EDR running at the time. If the breach happened because that one machine in the back office was running standard antivirus instead of EDR, the carrier may exclude the loss tied to that endpoint.

Three: Documented backups, tested within the last 12 months

The application asks whether you have backups. Of course you do. The next question is whether the backups are immutable, offline, or otherwise protected from ransomware.

The most common reason a small practice cannot recover from ransomware without paying the ransom is that the backup drive was connected to the same network as the production systems. The ransomware encrypted the backups along with the live data.

What carriers want, and what increasingly is a coverage requirement. - Backups stored off-network or with immutable storage controls - At least one offline copy that ransomware cannot reach - Documented restoration test within the last 12 months - Recovery time objective and recovery point objective documented in writing

If you cannot produce a written backup policy and a recent restoration test log, the carrier will treat the backup question on your application as overstated.

Four: Written incident response plan

You must have a written incident response plan. Not a checklist. A plan. It must identify the people, the vendors, the legal counsel, the public relations firm, and the law-enforcement contacts you will engage when a breach happens. It must include playbooks for at least three scenarios: ransomware, data exfiltration, and business email compromise.

The carrier asks for this as part of the application. They do not always ask for the document, but they reserve the right to. After a breach, the forensics firm will ask for it.

If your plan is "call our IT vendor," that is not a plan. That is a phone call. Carriers know the difference.

Five: Annual security awareness training, with phishing simulations, and documentation

The application asks whether you train your staff. Every small practice answers yes, because the office manager attended a one-hour HIPAA refresher three years ago.

What carriers want. - Annual security awareness training for every employee, including dentists, hygienists, and front-desk staff - Phishing simulation campaigns at least quarterly, with click-rate documentation - A written training policy and roster signed by each employee acknowledging completion

After a breach, the carrier will ask which employee opened the malicious file and whether that employee had completed training. If they had not, or if the training was three years old, the carrier has grounds to argue the loss was caused by an uninsured negligence factor.

What this looks like in practice

A small practice with two providers and six staff can implement all five for under $4,000 a year, including the cyber insurance premium itself. The cost of NOT having them is the breach itself, plus a denied insurance claim, plus the legal fees defending against the carrier's denial.

Adams Cloud helps small practices in San Diego County implement all five before their next cyber insurance renewal. The work takes about three weeks. The result is a policy that will pay if you ever need to claim it, instead of a policy you bought to feel safe and discover, in the worst week of your business, was unenforceable.

If your cyber insurance renewal is in the next ninety days and you want a pre-renewal control review before you submit your application, reach me at thabiti@adamscloudcyber.com.

Adams Cloud and Cybersecurity LLC. Service-disabled veteran-owned. CISSP, CCSP, Security+ certified. Practical cybersecurity and cloud advisory for small businesses.