Do Your ITAM and ITAD Processes Comply With Your Cyber Liability Insurance?

So you’ve purchased cyber insurance, and you are feeling pretty relieved. While this may be an excellent step, you still must take “due care” to protect your business from being compromised by a cyberattack. This extra review includes all your IT assets throughout their lifecycle. Remember, an IT asset is a piece of software or hardware within your information technology environment. Last month we shared vulnerabilities and tips to understand your entire environment if you are now a virtual or hybrid-remote company.

There are exclusions and limitations to any coverage you purchase, which you must comply with as a buyer (organization). That’s why it is crucial for you to assess whether you are compliant with the terms of your cyber insurance policy and ensure that any risks that could lead to non-compliance are remediated.

So if you think your data security policies are air-tight, let’s look at how the IT lifecycle can impact potential claims.

1. Unencrypted Devices and Employee-Owned Devices

Not all policies cover unencrypted or employee-owned devices. If you have or are about to purchase a policy that only covers encrypted devices, you are leaving yourself wide open to vulnerabilities. These are very real exclusions that buyers sometimes say they did not understand in the language. If you already purchase this policy, talk to your agent, and enhance your encryption and employer-owned only work policies.

2. Understand Exclusions for “acts of foreign enemies.”

Threats exist for organizations of all sizes, and we now know that many of these originate from abroad. While you can do your best to minimize these threats, it’s challenging to be 100 percent secure in today’s hybrid and evolving IT asset environments. Therefore, experts strongly advise companies to limit the scope of these types of exclusions when purchasing a cyber insurance policy.

3. Failure to Document Employee Training and Policies

The world of Zoom training has created a need for strengthening documentation and protocols. While you may have and require robust training, you need to ensure nothing slips through the cracks. The ownership is on you to ensure all employees know your requirements regarding ITAM/ITAD and Data Security. Many companies now provide recorded training and flex schedules. While you may be able to prove who was on a Zoom call, can you prove who watched a recorded training? And more importantly how did you ensure they understood the information provided to them? The better bet is to require hard copy sign-ins and some form of testing to show that your team accurately understands your policies.

4. Are Third-Party Vendors Part of Your Environment?

If you are using vendors and consultants, exclusions abound. You must understand what is covered and what is not. Suppose third-party vendors are part of your ITAM environment. In that case, you need to know what they are doing to protect their IT asset lifecycle and security threats, and if they caused the vulnerability, are you covered?

A one-size-fits-all policy rarely fits an organization. Your broker should be willing to complete an assessment to ensure your needs are being met. Depending on the price and type of policy, you can expect to be covered for extra or abnormal costs resulting from either a) the physical destruction or b) the theft of information technology (IT) assets. Whether this includes vendors, remote employees, or an employee losing a device (for example) remains to be seen.

Ask the questions and tighten up your processes to fit the answers you are given. The most considerable risk of the purchase of a cybersecurity policy is the false sense of security it can provide a company. So, you’ve made a purchase; now is not the time to rest on your laurels. Contact us today, we’d be happy to help: https://reclamere.com/contact-us/.

References
https://searchsecurity.techtarget.com/definition/cybersecurity-insurance-cybersecurity-liability-insurance