What CFO’s Need to Know About Cybersecurity Insurance

What CFO's Need to Know About Cybersecurity Insurance (part 2)
What CFO's Need to Know About Cybersecurity Insurance (part 2)
Written by Heather Cole on April 15th, 2021

Last week we discussed how the world is changing and as a result the CFO’s office needs to get more active and increase their knowledge of cybersecurity.  Here’s the link to last week’s blog.  We learned that Cybersecurity is the protection of internet-connected systems such as hardware, software, and data from cyberthreats and that this can take many forms.  We challenged you to meet with your CISO and CIO and have a risk assessment evaluation. Today we will discuss what CFO’s need to know about cybersecurity insurance.

It is important to know that we believe prevention is the best medicine when it comes to cybersecurity threats, but insurance is your backup plan. 

Two Forms of Cybersecurity Insurance

1. First-Party Cyber Liability Insurance

The first and most common policy every CFO must be familiar with is the First-Party Cyber liability insurance policy. First-Party Cyber liability insurance protects against data breaches at your company on your own systems.  This will protect you if someone hacks into your network or you are a victim of ransomware.  It typically pays for the costs of:

  • Investigating the breach
  • Notifying customers and regulators
  • Managing the ensuing crisis
  • Providing credit monitoring to affected individuals
  • Public relations and reputational costs

Cyber liability insurance also can pay for customer claims resulting from the theft or breach of customer data on your network. So, you should see if you can add a First-Party Cyber liability insurance to your general liability insurance or business owner's policy.

2. 3rd Party Cyber Insurance is in addition to E&O

At Lodestar Solutions we recommend all clients take their cyber insurance requirements a step further.  We believe you should ensure that your 3rd party technology consultants also carry Cyber Insurance!  Yes, you should put the requirement for cyber insurance in your agreements with your consultants.

Make your consultants carry Cyber Insurance!

I am always shocked when clients provide Lodestar Solutions with their standard services contract before an engagement, and it has insurance requirements for general liability but nothing requiring their consultant’s firm carry cyber security insurance. 

Errors & Omissions Insurance

It is important to know that Errors and Omission (E&O) is different than a Cyber Liability policy.  Typically, a technology E&O protects the consulting firm when their client is harmed.  For example, if the consultant makes a mistake or forgets to do a critical task that hurts a client financially.  These mistakes can range from recommending inappropriate technology to failing to meet project deadlines.  When a client sues to recover losses, technology E&O insurance will pay for a firm’s legal expenses, including:

  • Attorney's fees
  • Court costs
  • Money paid to settle a lawsuit
  • Legal judgments (what a judge or jury orders you to pay)
  • Related costs, such as court and expert witness fees

3rd Party Cyber Insurance

It is important to know that an additional 3rd party cyber insurance policy may be needed by the consulting firm to provide protection when the client is harmed by a cyber breach of their system which originated from the negligence of the consultant.

Imagine hiring an independent consultant, a one-person shop at a discount rate.  You give them access to your system to upgrade your Cognos software.  But when they are accessing your system, they are not careful, and they use the WI-FI at Starbucks.  While sipping their latte, a hacker can obtain the information needed to access your network.  A month later you discover your system is compromised, and secure personal information of your clients has been downloaded.  When your IT team discovers the breach, they tie it back to the consultant that you hired at a discounted rate.  Unfortunately, the consultant does not carry E&O or Cyber Insurance….

The moral of the story, you should require your consultants to carry additional Third-Party Cyber liability insurance in addition to their errors and omissions insurance.  You should educate your procurement department and update standard service contracts to require specific levels of insurance should be specified in your contract.


You can’t stop now!  You must continue learning about cybersecurity.  For more information on Cybersecurity insurance, I recommend: 

In Summary

I hope you learned a little bit about what CFO’s need to know about cybersecurity insurance today and how important Cybersecurity is to the longevity of your organization.  But knowing the risks are not enough!  You must make sure you take the first step and set up a call with your insurance agents to discuss your Cybersecurity insurance needs.  If your agent appears to not really understand cybersecurity insurance, find a new agent!    If you have questions, I am happy to connect you with the insurance agents I work with.  Just email me at Services@lodestarsolutions.com.

What CFOs Need to Know About Cybersecurity (Part 1)

What CFO's Need to Know About Cybersecurity
What CFO's Need to Know About Cybersecurity
Written by Heather Cole on April 8th, 2021

As the world continues to change, and more people are working from home, the CFO’s office needs to get more active and increase their knowledge of cybersecurity.  Cybersecurity is the protection of internet-connected systems such as hardware, software and data from cyberthreats.  There are many aspects of cybersecurity including password usage, data encryption, use of public wi-fis, and ransomware attacks.  Heck even having your AC connected to your internet so you can monitor it, can leave you exposed.  Today we will discuss what CFOs need to know about cybersecurity.

Why CFO’s Need to be More Cybersecurity Vigilant

“Cybersecurity breaches have become the top financial threat facing companies, making it essential for CFOs to play a pivotal role in managing the risk,” according to FM- Magazine.  

IBM estimates the average cost of a breach is $3.86 million.  A recent IBM study found that a majority of organizations (76%) predicted that remote work would make responding to a potential data breach a much more difficult ordeal.  52% of breaches were caused by a malicious attack and 80% of breaches included customer’s personal identifiable information.  To receive a copy of the IBM Cost of Data Breach Report 2020 go to IBM.com.

The Challenge

The challenge is that most CFOs are unaware of their risk and surprised when they learn they have exposed data vulnerable to cyberattacks.  CFOs must keep cyber risk top of mind, making it part of their regular dialogue with the C-suite and other operating leaders as they assess their risk and potential business disruption.  But the first step is to understand the types of Cybersecurity threats.

Types of Cybersecurity Threats Include:

  • Malware is a form of malicious software in which any file or program can be used to harm a computer user.  Malware can be installed by clicking a link from an unknown source. Malware includes worms, viruses, Trojans, and spyware.
  • Ransomware is another type of malware where the creators hold your systems ransom and demand payment to decrypt and unlock it.
  • Social engineering is an attack that relies on human interaction to trick users into breaking security procedures to gain sensitive information that is typically protected.
  • Phishing is a form of social engineering that is often targeted at the office of finance where the offender sends a fraudulent email that resemble those from reputable or known sources asking for banking details, logins, or other sensitive data.
  • Insider threats are security breaches or losses caused by humans -- for example, employees, contractors, or customers.  Insider threats can be malicious or negligent in nature.
  • Advanced Persistent Threats (APTs) are prolonged targeted attacks in which an attacker infiltrates a network and remains undetected for long periods of time with the aim to steal data.

For more information on understanding the basics of cyberthreats check out this interesting Cybersecurity blog.

Since I am not a security expert, I decided as part of my research for this blog to sit down with Reshma Moorthy of Frontier Technologies and Raj Soni of Adaptive Systems, two security experts and friends of mine.  I asked them to share their ideas on What Every CFO Needs to Know About Cybersecurity.  We created a video to help educate CFOs.  After you watch our discussion then it is time to take action! 

Steps CFOs Should Take Immediately

Now that you have a basic understanding of the everchanging Cybersecurity threats, you need to act!  Lodestar Solutions recommends that you take the following steps immediately.

  1. Cybersecurity Risk Assessment Meeting - Set up a meeting with your CSO and CIO to do an initial cybersecurity risk assessment.  The goal of this meeting is not to solve all the challenges. The goal of the meeting is to discuss and listen to the risks, then try to rank them based on the potential business disruption and cost.  You may want to engage an outside firm to help you with your risk assessment.  If you need names of firms to help, email us at Services@lodestarsolutions.com and we will connect you with people we know.

  2. Review Your Insurance Levels - Are you insured against a cyber threat and if so to what level?  Cybersecurity insurance policies are constantly changing so you should have an insurance review checkup.  Prevention is a better answer than insurance, but it could help when you experience a breach.  (Yes, I said when not if.)

I realize as I write this that understanding cyber insurance can be a big topic in and of itself.  Therefore, I will share more information about the two types of insurance you need to review in next week’s blog. 

In Summary

I hope you learned a little bit about what CFOs need to know about cybersecurity today.  But knowledge is not power.  ACTION is Power.  So, make sure you take the first step and set up a risk assessment meeting.  If you have questions, I am happy to connect you with security experts.  Just email me at Services@lodestarsolutions.com.