Trucking companies must protect themselves against cyber attacks – both in a preventive sense and in a reactive sense. The best-case scenario, of course, is for no successful attack to ever occur, which is why we often tell you about strategies to prevent such an event.
But what if an attack succeeds anyway?
That’s when cyber insurance is critical. Yet there are many issues to consider when choosing an insurer and a policy.
In recent years, cyber insurance has gone up in price even as insurers have placed more limits on what they cover. Often one policy doesn’t cover every potential risk, and a company must invest in multiple policies to cover every potential risk.
Any trucking company seeking insurance against cyber threats will find that five major types of coverage include:
According to Jeff Chronister, AAI, of Missouri-based Oller Akers Arney, many insurers will roll all this into a single policy. But the trucking company that’s buying the policy needs to be sure it’s all in there.
“It’s possible and preferred to get all of your exposures covered in a single policy with the same carrier,” Chronister says. “Each policy is different and the devil is in the details, especially on cyber policies. I would recommend that you have an independent risk advisor in your area review the risk assessment and the cyber policy to make sure your limits and coverage line up with your actual exposures.”
According to Chronister, trucking companies should prioritize covering the expenses associated with breach notifications.
“Anytime there is a breach where personal information was compromised, you’re required to take certain steps to secure the data as much as possible and/or repair the damage done to your customers or employees due to the breach,” Chronister says.
He added that trucking companies should also make sure they have enough coverage to deal with “social engineering.”
“Social Engineering is specific to bad actors gaining access through your email system and basically finding an employee who lets them in through a link or attachment,” Chronister says.
Trucking companies should be sure that certain specific issues are included in their coverage, including:
NMFTA’s Director of Enterprise Security, Antwan Banks, says companies must assess their needs and their ability to withstand risk.
“One company may need $100,000 in coverage,” Banks shares. “Another company may need $1 million. But they need to understand what their risk appetite is, understand what their risk register contains and then understand the operational impact – how long they can afford to be without their key critical systems.”
Companies also need to understand the potential fallout of a cyber attack. Some may need to pay fines or penalties if they get attacked. Others may get sued. The military or the government may have secrets at risk of exposure.
“Establish a catalog of your risks and then rank them,” Banks says.
For some companies, Banks explains, continued operation of systems is more important than addressing an attack.
“When I worked at an online news network, they had web sites that you didn’t touch,” Banks says. “You couldn’t patch it, and they didn’t care if it got infected. They made $1 million every minute off their web site, so they would accept any amount of risk, especially during the elections. They couldn’t afford to be down.”
But most companies would not fall into a category like that, which is why Banks emphasizes the importance of a risk register. This involves establishing a catalog of all a company’s risks, then ranking them in order of severity.
“Make sure the risk register has input from the leadership,” Banks says. “A guy on the line may think something’s a risk, but the leadership may say they’re not really worried about that.”
Chronister states many insurers, including Oller Akers Arney, can assist trucking companies with this issue.
“There are companies who, along with writing the cyber liability policy, will offer risk assessments,” Chronister says. “Our agency offers risk assessment as well and, between the two, we can generally determine where your biggest potential risks lie.”
NMFTA member ArcBest Technologies established a risk register by using the National Institute of Standards and Technology’s (NIST) cybersecurity framework.
“We maintain a constant gap analysis of our cybersecurity program against the NIST cybersecurity framework,” says ArcBest Technology’s Director of Information Security Byron Paschal. “Then we identify gaps, we talk through those gaps and we put items on the risk register. Then we rate them by severity or by risk, and those items on the risk register fall into a prioritized project list. That list is what we work on as an information security department.”
In today’s digital age, having cybersecurity insurance is crucial to safeguard your business from potential risks. To further a conversation with NMFTA’s cybersecurity team, connect with Antwan Banks via email at firstname.lastname@example.org.