10 Tips When Considering Cyber Insurance

Data breaches are like lightning: one never knows when or where they’ll strike—or how much damage they will cause. Given their unpredictable nature, data breaches are difficult to budget for. Cyber insurance can help offset these unexpected costs, but keep in mind that it is not a substitute for implementing good data privacy and security practices. In addition, cyber insurance does not cover all expenses, such as diminished reputation or customer churn. 

Read related: "Willis: Boards Must Be More Aware of Cyber Liability."

Cyber insurance policies are different from most other types of insurance as they are focused on mitigating down-the-road legal liabilities that may arise from a breach event. For this reason, cyber policies can be prescriptive in their response to a data breach. It’s important to involve relevant managers from across the organization early in the decision-making process to make sure their departmental requirements are known and policy options are understood. As experts in data breach best practices, we recommend that companies looking at cyber insurance consider the following steps:

1. Assess the risks for a data breach. Each company should evaluate its overall risk of experiencing a data breach and the sensitivity of its data. Some factors to consider: type of industry, applicable rules and regulations, the amount and type of data that a company stores, the prominence of its brand, its technology infrastructure and practices, the use of mobile devices, and the number of third-party contractors with access to sensitive data. 

2. Determine the financial resources available for an effective breach response. The Ponemon Institute recently reported in 2011 that cyber crimes cost organizations between $1.5 million and $36.5 million per data breach. Before investing in cyber insurance, organizations should determine if they have the finances to cover network downtime, legal fees, forensics investigation, breach notification services, identity monitoring and recovery services, regulatory fines and penalties and expenses stemming from a class-action lawsuit. 

3. Understand a company’s current insurance coverage. Most organizations hold general liability insurance that provides coverage for tangible property only, such as replacing stolen laptops. However, the liability policy may not cover the cost of a hacker intrusion that results in the breach of customer data. Traditional policies also do not explicitly cover first-party breach notification costs. These gaps could leave an organization responsible for the full cost of a data breach response. Cyber insurance can be used to help cover those costs. 

4. Evaluate policy options carefully. Cyber insurance typically provides coverage for liability for data breaches, remediation costs to respond to the breach, and regulatory and legal fines and penalties. However the limitations on the coverage can vary widely based on the carrier, the type of industry and a company’s risk profile. The terms of a cyber insurance policy may restrict the way an organization responds to a data breach. For instance, it may cover credit monitoring services for a breach of protected health information (PHI), which is not useful to monitor a patient’s medical identity. Common coverage limitations include: 

  • Third-party/contractor breaches
  • Offline or non-technical breaches, or so-called “paper” breaches
  • Breaches from lost devices, including laptops, flash drives, tablets, and mobile phones
  • Choice of vendors to respond to a breach, including legal counsel and data breach service providers
  • Types of monitoring services for the breached population, such as credit monitoring vs. medical identity monitoring

5. Perform a risk assessment. Performing a comprehensive privacy and security risk assessment can help an organization identify, evaluate and mitigate gaps in its security and privacy program.  Lessening those gaps can reduce breach risks and lower exposure if a breach does occur. Having a third party-documented risk assessment on file can help speed up the underwriting process and may even lower insurance premiums. 

6. Find a knowledgeable broker. A broker who understands cyber insurance can break down and compare the offerings from different insurance providers. They often offer value-added services that can help identify and mitigate breach risks, as well as validate the need for a policy. 

7. Take advantage of value-added services offered. Some insurance brokers and carriers offer complimentary value-added services to help reduce breach-related risks: free consulting or legal advice from industry experts, access to a proprietary portal with privacy and security resources, educational webinars, and policy templates. When weighing policy choices, organizations should evaluate these services as part of the overall offering. As a plus, these offerings may help improve a company’s risk profile and and lower its insurance premium.

8. Get preferred vendors approved before the policy is finalized. Cyber insurance policies may require companies to use pre-approved vendors instead of their own service providers, such as legal counsel, when responding to a data breach. Such limitations can impact the quality of a response, for instance, the use of an out-of-the-country call center to manage the breach of sensitive medical data. We recommend companies negotiate the right to use favored vendors or select their own vendors before the contract is finalized.

9. Understand how  to integrate insurance claims process with internal breach response. A cyber insurance policy could change the way an organization internally manages data breach incidents. Post binding the policy, companies should understand how and when to involve their carrier if a data breach occurs. This may include updating any documented procedures, such as an incident response plan (IRP) with new roles and responsibilities, revised timeline and current contact information.

10. Avoid common pitfalls with an insurance carrier. This most often happens when the insured does not fully understand the policy, causing a dispute on coverage. For example, the carrier may mandate the use of its pre-approved vendors, while an organization may prefer to use its internal resources or favored vendors.  It’s best to resolve these conflicts before binding the policy.

Evaluating the need for cyber coverage is not a one-person job. Companies should discuss their data breach risks and risk management options cross-functionally, involving leaders from IT, risk management, privacy, compliance and legal departments. Working together, executives can more accurately quantify risks, evaluate options and develop a cost-benefit analysis to determine if cyber insurance is the right investment for their needs.

Read related: "What's Driving the Rise in Data Breaches?"

Read related: "Healthcare Data Breaches: Handle With Care."

Page 1 of 2
Comments

Resource Center

View All »

Contractors General Liability Coverage 102

What is a prior work exclusion? Which option is right for my client? Why do...

Sign up today to get a 50% matching credit -...

Insurance marketing sometimes seems like it's a game of swings and misses, but we're here...

Guide: 5 Steps to Selling Cyber

Cyber risk and data security is on the agenda of every business owner and executive....

Citation Correlation

Do rigger and signalperson qualifications correlate with the cause of crane and rigging accidents? ...

Complete Guide to Electronic Signatures in Property & Casualty Insurance...

In property and casualty insurance, closing new business quickly is key. Learn how to leverage...

INSTANT ACCESS: Complimentary Sales Closer Questionnaires

Help property owners or managers compare your commercial residential property insurance coverage vs. the competition....

Determining Vacant Property Perils and Valuations

Are your clients fully covered for Vacant Properties? In this economic climate, your insureds may...

Risk Management for Law Firms

This package of 3 concise risk management articles offers straightforward content and practical suggestions law...

Guide: Top 15 E&O Risks-And How To Avoid Them

Accidents happen. But when it's an errors and omissions oversight, that accident can open your...

We'll Show You How to Reach Your Sales Goals

Whether you work alone or have a team of agents working for you, we can...

Tech Digest eNewsletter

Technology related insights for insurance professionals including key developments, solution providers and news briefs from the carrier front – FREE. Sign Up Now!

Advertisement. Closing in 15 seconds.