Compliance-as-a-Service

In our previous article, Cyber Liability Insurance and Compliance, we talked about the reasons insurance companies deny claims. In this article, we will talk about how compliance-as-a-service helps you stay compliant with the insurance policy, and make your IT infrastructure more secure. In the event of after a data breach or other data loss events, you will have a better chance to make a successful claim.

How to automate and speeds cyber liability insurance claims

Let’s face it, compliance requirements for cyber liability insurance can be quite complex. This is why so many claims are denied. However, maintaining compliance is not difficult to do. It simply requires routine security assessments, documentation, and proactive prevention measures — all of which can automate with the right assessment and compliance tools.

The process of assessing and maintaining compliance to any standard is the same, regardless of industry:

  • Understand expectations –  Make sure your cyber liability insurance policy is reviewed by a trusted advisor with experience in the field. This can be the difference between making a successful claim or having it denied.

  • Establish policies and procedures – Having policies and procedures is an essential part of risk management and compliance with insurance company requirements. Enforcing a password policy that requires certain complexity and periodical changes, is an example of such policies.

  • Regularly assess compliance – Having an initial assessment to understand the risk factors in your IT infrastructure is only the beginning. Periodic assessments to find gaps in security, are key when making a cyber liability insurance claim.

  • Address non-complianceCyber Liability insurance is not a substitute for cybersecurity. If risk factors are discovered during one of the periodical assessments, take remediation actions immediately. Remember that bad actors work 24 x 7 trying to find the smallest gaps in security.

  • Document everything – IT infrastructure is constantly changing. Addition to hardware and software, and new employees and contractors with access to sensitive areas are a common occurrences. All changes must be dutifully documented to stay compliant with the cyber liability insurance policy.

Compliance-as-a-service for cyber liability insurance

The Difference of Auditing with Automation: Compliance-as-a-Service Manager

Every insurance company has its own set of policies, riders, contract exceptions, and fine print. SotoNets’ Compliance-as-a-Service Manager focus is its commitment to simplicity, dynamic worksheets, and ease of collaboration among multiple stakeholders.

Here is what you can expect when you file a claim::

Automate-Complicance-as-a-Service

Using Compliance-as-a-Service Manager by SotoNets Cloud Solutions

  • Top insurance company compliance standards built-in – Our compliance-as-a-Service manager maintains the application forms from the largest cyber insurance carriers and incorporates their specific questions into the platform.

  • Plug and play – With built-in application questions taken directly from dozens of the largest cyber insurance companies, there’s no guesswork when it comes to compliance with your client’s policy terms.

  • Easy to automate key functions – Many functions required to stay compliant are automated with Compliance-as-a-Service, including running periodical security checks, and generating reports.

  • Delivers reporting required for cyber liability insurance claim payouts – Reporting, when coupled with detailed compliance, is essential in recuperating costs from an attack.

Without Compliance-as-a-Service Manager

  • Invest hundreds of hours manually reviewing insurance compliance requirements–  Sift through documents, computer logs, contractor agreements and activities. The list is endless.

  • Build your own framework – You have to start from scratch to build a framework to try to fulfill the complex requirements of the insurance policy. Many hours of work that will probably never meet the standards the insurance company requires.

  • Manually conduct reporting – Filling a claim requires detailed information from your IT environment, contractor’s activities, computer logs, software installation, etc. This takes a tremendous amount of man-hours and resources to complete.

  • Lack of essential reporting – When working without the help of Compliance Manager the most essential reports to start a claim will take time to compile. Time is of the essence when a security breach occurs to preserve and produce evidence.

Claim without compliance-as-Service

Coverage Considerations

Cyber Liability Insurance covers financial losses from data breaches and other cyber events. The coverage may include lost profits, forensic investigations, regulatory fines, and reputation damage. You should have a cyber insurance policy to cover these losses. And now, with Compliance-as-a-Service Manager from SotoNets, you have the tools to meet that need. If you already have a policy, you can consider a supplemental policy that expands your coverage to include the cost of the managed service provider’s remediation work in the event of a breach, along with many other unique benefits.

Here is a list of the coverage your policy should offer, to cover first and third parties.

  • Cyber, Privacy, and Network Security Liability:
    • Liability for an organization’s failure to protect sensitive or corporate information. This includes the following:
      • Unintentional Violations of Privacy Regulations.
        • Failure of Network Security, which results in:
          • The Unauthorized Access or Use of the Computer Network.
          • Denial of Service Attack on the organization’s computer system.
          • Unintentional or unknowing transmission or a virus or malicious code.
      • Regulatory Liability:
        • Regulatory Proceedings and other Regulatory Inquiries.
      • PCI (Payment Card Industry):
        • Assessments ordered by Payment Card Providers
        • Fines/Penalties assessed by the Payment Card Provider.
  • Electronic, Social and Printed Media Liability
    • Legal Defense Costs and Damages resulting from:
      • Product disparagement, Trade Libel, False claims, Invasion of Privacy, plagiarism, copyright, trademark infringement, negligence in publishing content.
      • Coverage for the above does include Printed Materials.
  • Cyber Incident Response Fund
    • Coverage for Legal Services in determining the extent of the incident as well as how to respond to an incident.
    • Expenses for legal contractual requirements.
    • Forensic Expenses determining the cause and scope of a cyber incident.
    • Notification of affected individuals
    • Compliance expenses related to regulations: (Notification, credit monitoring, etc)
  • Business Interruption and Extra Expenses
    • Income loss that is a result of the interruption in an organization’s computer network.
    • Income loss as a result of the interruption of a shared computer system (Contingent Business Interruption).
    • Extra Expenses related to the network disruption as well as the contingent network disruption.
  • Digital Data Recovery Expenses
    • Expenses incurred by the insured related to:
      • Replacement of lost data
      • Restoration of damaged data
      • Re-collection of data
    • Expenses incurred to reduce or further mitigate each loss.
  • Network Extortion Expenses
    • Expenses incurred by the Insured in responding to an extortion threat.
    • Expenses incurred by the Insured to mitigate, or reduce such loss.
  • Specialist Endorsements
    • Reputational Event & Extended Period of Attrition ($100k / 90 days)
      • Expands the Definition of Business Interruption Loss to include those losses resulting from Customer Attrition.
      • Covers business owner facing a loss due to the downtime of their network AND the prospect of losing customers.
        • i.e. “They were hacked, I am not going to shop there anymore” or, “Hoka’s site is down, but I need my running shoes… I’ll just go to Dick’s”.
    • Invoice Manipulation (up to the same limit as Social Engineering)
      • A Form of Social Engineering Fraud where an actual (but fraudulent) invoice is being disseminated (and as a result Paid) to a malicious third party.
    • Extortion Threat Enhancement
      • Removes any condition that the theft or use of Protected Information was the result of unauthorized access or Use of the Insured’s Computer System; e.g. as long as the data is stolen and held for ransom, there aren’t any qualifying conditions as to how this occurred.
    • Betterment ($100k / 25%)
      • Replacement of Digital Data to a level BEYOND what existed to prior to the loss. If there was a loss and it is cheaper to put in upgraded security, or the situation warranted updated security, this endorsement will provide coverage for it.
    • Primary Insurance for Insuring Agreement
      • Regardless of the loss, the Notification Costs, etc., will be provided on a primary basis regardless if other insurance is in place that can possibly respond.
    • System Failure (full limit BI, 50% sublimit CBI)
      • Broadens the Business Interruption Coverage to include “events” such as Human Error, or Programming Errors, that might shut down the network, and carves back this to the Infrastructure Outage Exclusion as well.
    • Preventative Shutdown (14 days)
      • Pro-active Business Interruption Coverage:
        • E.g. Knowledge that a virus is running rampant amongst similar companies and allows for network shutdown while it spreads, and/or to add whatever patches are needed.
          • Or, the insured may know about a specific threat to their computer system, and wants to shut down to prevent the possibility of it being spread.
    • Period of Restoration Extended – 180 days
      • Policies generally have a 60 – 90 day time frame requiring a network to be operational after a loss. This Endorsement extends that time to 180 days.
    • Blanket Additional Insured as Required by Contract
      • Insured doesn’t have to list every contract that requires an Additional Insured on the Policy
        • E.g. If the insured enters into a contract with Pepsi, for example, they don’t have to provide documentation naming Pepsi, it would be automatically included.
    • Breach Response Indemnitee as Required by Contract
      • Contractually covers any organization that the insured has agreed to indemnify for Cyber Incident Response Expenses.
    • Business Interruption, Discovery Basis
      • Takes some of the forensics processes out of the claim adjudication process – simply “turning on the clock” on a BI Loss when the insured first discover it.
        • No need to determine when coverage was in place, etc….
        • Basic enhancement that the clock will start ticking during the policy period if the insured discovers the loss during the policy period (even technically if the loss happened before coverage was in place).
    • Conduction Exclusion Amended
      • The policy will defend the insured until there is Final, non-appealable adjudication against the insured.
        • E.g. The Insured had suit brought against them for Negligence in Maintaining Network Security – Until it is determined that the insured actually was willful in their negligence, this policy will defend the insured.
    • ERP Election Period Extended (60 days)
      • Election period (after the premium expired and the policy is not being renewed), gives the insured 60 days to report all outstanding matters from the policy period.
    • Optional Extended Reporting Period (1/100%, 2/150%, 3/175%)
      • If the policy is canceled, lapses, company is acquired, goes out of business, etc… they have 60 days to report a claim.
        • For 100% of the premium, they can purchase 1 year; 2 years for 150% of the premium; 3 years for 175% of the premium. This comes into play mostly at the time of the Named Insured being Dissolved in some capacity.

Compliance-as-a-Service Manager Is Aligned with Major Insurance Carriers

There are hundreds of insurance companies offering cyber liability insurance. But many of them tap into the same insurance carriers – the companies that actually collect your money and are responsible for paying claims.

Our Compliance-as-a-Service manager maintains the application forms from the largest cyber insurance carriers and incorporates their specific questions into the platform. The companies shown below are already included.

A Final Word

Compliance-as-a-Service Manager by SotoNets Cloud Solutions is the first and only purpose-built, role-based Compliance Process Automation platform. It combines a wizard-driven workflow engine, automated network, and computer data discovery, a web-based management portal, and built-in compliance document generation and archiving.

BUSINESS CONTINUITY
Keeps IT Running.

GET STARTED