Data breaches are like lightning: one never knows when or where they’ll strike—or how much damage they will cause. Given their unpredictable nature, data breaches are difficult to budget for. Cyber insurance can help offset these unexpected costs, but keep in mind that it is not a substitute for implementing good data privacy and security practices. In addition, cyber insurance does not cover all expenses, such as diminished reputation or customer churn.
Cyber insurance policies are different from most other types of insurance as they are focused on mitigating down-the-road legal liabilities that may arise from a breach event. For this reason, cyber policies can be prescriptive in their response to a data breach. It’s important to involve relevant managers from across the organization early in the decision-making process to make sure their departmental requirements are known and policy options are understood. As experts in data breach best practices, we recommend that companies looking at cyber insurance consider the following steps:
1. Assess the risks for a data breach. Each company should evaluate its overall risk of experiencing a data breach and the sensitivity of its data. Some factors to consider: type of industry, applicable rules and regulations, the amount and type of data that a company stores, the prominence of its brand, its technology infrastructure and practices, the use of mobile devices, and the number of third-party contractors with access to sensitive data.
2. Determine the financial resources available for an effective breach response.The Ponemon Institute recently reported in 2011 that cyber crimes cost organizations between $1.5 million and $36.5 million per data breach. Before investing in cyber insurance, organizations should determine if they have the finances to cover network downtime, legal fees, forensics investigation, breach notification services, identity monitoring and recovery services, regulatory fines and penalties and expenses stemming from a class-action lawsuit.
3. Understand a company’s current insurance coverage. Most organizations hold general liability insurance that provides coverage for tangible property only, such as replacing stolen laptops. However, the liability policy may not cover the cost of a hacker intrusion that results in the breach of customer data. Traditional policies also do not explicitly cover first-party breach notification costs. These gaps could leave an organization responsible for the full cost of a data breach response. Cyber insurance can be used to help cover those costs.
4. Evaluate policy options carefully. Cyber insurance typically provides coverage for liability for data breaches, remediation costs to respond to the breach, and regulatory and legal fines and penalties. However the limitations on the coverage can vary widely based on the carrier, the type of industry and a company’s risk profile. The terms of a cyber insurance policy may restrict the way an organization responds to a data breach. For instance, it may cover credit monitoring services for a breach of protected health information (PHI), which is not useful to monitor a patient’s medical identity. Common coverage limitations include:
- Third-party/contractor breaches
- Offline or non-technical breaches, or so-called “paper” breaches
- Breaches from lost devices, including laptops, flash drives, tablets, and mobile phones
- Choice of vendors to respond to a breach, including legal counsel and data breach service providers
- Types of monitoring services for the breached population, such as credit monitoring vs. medical identity monitoring
5. Perform a risk assessment. Performing a comprehensive privacy and security risk assessment can help an organization identify, evaluate and mitigate gaps in its security and privacy program. Lessening those gaps can reduce breach risks and lower exposure if a breach does occur. Having a third party-documented risk assessment on file can help speed up the underwriting process and may even lower insurance premiums.
6. Find a knowledgeable broker. A broker who understands cyber insurance can break down and compare the offerings from different insurance providers. They often offer value-added services that can help identify and mitigate breach risks, as well as validate the need for a policy.
7. Take advantage of value-added services offered. Some insurance brokers and carriers offer complimentary value-added services to help reduce breach-related risks: free consulting or legal advice from industry experts, access to a proprietary portal with privacy and security resources, educational webinars, and policy templates. When weighing policy choices, organizations should evaluate these services as part of the overall offering. As a plus, these offerings may help improve a company’s risk profile and and lower its insurance premium.
8. Get preferred vendors approved before the policy is finalized. Cyber insurance policies may require companies to use pre-approved vendors instead of their own service providers, such as legal counsel, when responding to a data breach. Such limitations can impact the quality of a response, for instance, the use of an out-of-the-country call center to manage the breach of sensitive medical data. We recommend companies negotiate the right to use favored vendors or select their own vendors before the contract is finalized.
9. Understand how to integrate insurance claims process with internal breach response. A cyber insurance policy could change the way an organization internally manages data breach incidents. Post binding the policy, companies should understand how and when to involve their carrier if a data breach occurs. This may include updating any documented procedures, such as an incident response plan (IRP) with new roles and responsibilities, revised timeline and current contact information.
10. Avoid common pitfalls with an insurance carrier. This most often happens when the insured does not fully understand the policy, causing a dispute on coverage. For example, the carrier may mandate the use of its pre-approved vendors, while an organization may prefer to use its internal resources or favored vendors. It’s best to resolve these conflicts before binding the policy.
Evaluating the need for cyber coverage is not a one-person job. Companies should discuss their data breach risks and risk management options cross-functionally, involving leaders from IT, risk management, privacy, compliance and legal departments. Working together, executives can more accurately quantify risks, evaluate options and develop a cost-benefit analysis to determine if cyber insurance is the right investment for their needs.
Rick Kam, CIPP and Jeremy Henley, CHPC. “10 Tips When Considering Cyber Insurance.” Insurance News and Info for Risk Managers, Agents, Brokers and Property & Casualty Pros. Property Casualty 360º, 28 Mar. 2012. Web. 09 Apr. 2012. <http://www.propertycasualty360.com/2012/03/28/10-tips-when-considering-cyber-insurance>.