Insurer to Trucking Companies: Be Smart about Cybersecurity Insurance

Antwan Banks - April 10, 2023

Trucking companies must protect themselves against cyber attacks – both in a preventive sense and in a reactive sense. The best-case scenario, of course, is for no successful attack to ever occur, which is why we often tell you about strategies to prevent such an event.

But what if an attack succeeds anyway?

That’s when cyber insurance is critical. Yet there are many issues to consider when choosing an insurer and a policy.

In recent years, cyber insurance has gone up in price even as insurers have placed more limits on what they cover. Often one policy doesn’t cover every potential risk, and a company must invest in multiple policies to cover every potential risk.

Any trucking company seeking insurance against cyber threats will find that five major types of coverage include:

  1. First-party coverage, which indemnifies a company against its own losses.
  2. Third-party coverage, which indemnifies a company against liability for losses suffered by others for which the company could be held responsible.
  3. Remediation coverage, which covers the costs of various kinds of services required when company is responding to any number of issues caused by a cyber attack.
  4. Fines and penalties coverage, which protect against various costs that may be imposed by regulatory agencies or civil judgments for violations.
  5. Risk management services, which indemnifies the organization against the costs of boosting security and mitigating risk of future cyber attacks.

According to Jeff Chronister, AAI, of Missouri-based Oller Akers Arney, many insurers will roll all this into a single policy. But the trucking company that’s buying the policy needs to be sure it’s all in there.

“It’s possible and preferred to get all of your exposures covered in a single policy with the same carrier,” Chronister says. “Each policy is different and the devil is in the details, especially on cyber policies. I would recommend that you have an independent risk advisor in your area review the risk assessment and the cyber policy to make sure your limits and coverage line up with your actual exposures.”

According to Chronister, trucking companies should prioritize covering the expenses associated with breach notifications.

“Anytime there is a breach where personal information was compromised, you’re required to take certain steps to secure the data as much as possible and/or repair the damage done to your customers or employees due to the breach,” Chronister says.

He added that trucking companies should also make sure they have enough coverage to deal with “social engineering.”

“Social Engineering is specific to bad actors gaining access through your email system and basically finding an employee who lets them in through a link or attachment,” Chronister says.

Trucking companies should be sure that certain specific issues are included in their coverage, including:

  • Claims that arise from misconduct by a vendor
  • Coverage for loss of information on unencrypted devices
  • Coverage to the earliest retroactive date possible, since losses from an attack sometimes go undetected for long periods of time

NMFTA’s Director of Enterprise Security, Antwan Banks, says companies must assess their needs and their ability to withstand risk.

“One company may need $100,000 in coverage,” Banks shares. “Another company may need $1 million. But they need to understand what their risk appetite is, understand what their risk register contains and then understand the operational impact – how long they can afford to be without their key critical systems.”

Companies also need to understand the potential fallout of a cyber attack. Some may need to pay fines or penalties if they get attacked. Others may get sued. The military or the government may have secrets at risk of exposure.

“Establish a catalog of your risks and then rank them,” Banks says.

For some companies, Banks explains, continued operation of systems is more important than addressing an attack.

“When I worked at an online news network, they had web sites that you didn’t touch,” Banks says. “You couldn’t patch it, and they didn’t care if it got infected. They made $1 million every minute off their web site, so they would accept any amount of risk, especially during the elections. They couldn’t afford to be down.”

But most companies would not fall into a category like that, which is why Banks emphasizes the importance of a risk register. This involves establishing a catalog of all a company’s risks, then ranking them in order of severity.

“Make sure the risk register has input from the leadership,” Banks says. “A guy on the line may think something’s a risk, but the leadership may say they’re not really worried about that.”

Chronister states many insurers, including Oller Akers Arney, can assist trucking companies with this issue.

“There are companies who, along with writing the cyber liability policy, will offer risk assessments,” Chronister says. “Our agency offers risk assessment as well and, between the two, we can generally determine where your biggest potential risks lie.”

NMFTA member ArcBest Technologies established a risk register by using the National Institute of Standards and Technology’s (NIST) cybersecurity framework.

“We maintain a constant gap analysis of our cybersecurity program against the NIST cybersecurity framework,” says ArcBest Technology’s Director of Information Security Byron Paschal. “Then we identify gaps, we talk through those gaps and we put items on the risk register. Then we rate them by severity or by risk, and those items on the risk register fall into a prioritized project list. That list is what we work on as an information security department.”

In today’s digital age, having cybersecurity insurance is crucial to safeguard your business from potential risks. To further a conversation with NMFTA’s cybersecurity team, connect with Antwan Banks via email at antwan.banks@nmfta.org.

Antwan Banks
Antwan Banks

Antwan Banks is an accomplished cybersecurity professional with extensive experience in various high-profile roles. He currently serving as the director of enterprise security for the NMFTA where he plays a pivotal role in educating the trucking and supply chain industry about the myriad of intricate security risks associated with enterprise networks. Prior to NMFTA, Antwan served as the director of cybersecurity at the Metropolitan Atlanta Rapid Transit Authority (MARTA), where he managed cybersecurity operations and built the Information Security Office to safeguard various systems and networks. Antwan's expertise also extends to his military service as a United States Army Lieutenant Colonel, where he oversaw IT and computer security projects in Germany and the Middle East and served as a military advisor to the Saudi Arabian military Chief Information Officer.

stay in the know

Latest Posts