10 Tips When Considering Cyber Insurance

Data breaches are like lightning: one never knows when or where they’ll strike—or how much damage they will cause. Given their unpredictable nature, data breaches are difficult to budget for. Cyber insurance can help offset these unexpected costs, but keep in mind that it is not a substitute for implementing good data privacy and security practices. In addition, cyber insurance does not cover all expenses, such as diminished reputation or customer churn. 

Read related: "Willis: Boards Must Be More Aware of Cyber Liability."

Cyber insurance policies are different from most other types of insurance as they are focused on mitigating down-the-road legal liabilities that may arise from a breach event. For this reason, cyber policies can be prescriptive in their response to a data breach. It’s important to involve relevant managers from across the organization early in the decision-making process to make sure their departmental requirements are known and policy options are understood. As experts in data breach best practices, we recommend that companies looking at cyber insurance consider the following steps:

1. Assess the risks for a data breach. Each company should evaluate its overall risk of experiencing a data breach and the sensitivity of its data. Some factors to consider: type of industry, applicable rules and regulations, the amount and type of data that a company stores, the prominence of its brand, its technology infrastructure and practices, the use of mobile devices, and the number of third-party contractors with access to sensitive data. 

2. Determine the financial resources available for an effective breach response. The Ponemon Institute recently reported in 2011 that cyber crimes cost organizations between $1.5 million and $36.5 million per data breach. Before investing in cyber insurance, organizations should determine if they have the finances to cover network downtime, legal fees, forensics investigation, breach notification services, identity monitoring and recovery services, regulatory fines and penalties and expenses stemming from a class-action lawsuit. 

3. Understand a company’s current insurance coverage. Most organizations hold general liability insurance that provides coverage for tangible property only, such as replacing stolen laptops. However, the liability policy may not cover the cost of a hacker intrusion that results in the breach of customer data. Traditional policies also do not explicitly cover first-party breach notification costs. These gaps could leave an organization responsible for the full cost of a data breach response. Cyber insurance can be used to help cover those costs. 

4. Evaluate policy options carefully. Cyber insurance typically provides coverage for liability for data breaches, remediation costs to respond to the breach, and regulatory and legal fines and penalties. However the limitations on the coverage can vary widely based on the carrier, the type of industry and a company’s risk profile. The terms of a cyber insurance policy may restrict the way an organization responds to a data breach. For instance, it may cover credit monitoring services for a breach of protected health information (PHI), which is not useful to monitor a patient’s medical identity. Common coverage limitations include: 

  • Third-party/contractor breaches
  • Offline or non-technical breaches, or so-called “paper” breaches
  • Breaches from lost devices, including laptops, flash drives, tablets, and mobile phones
  • Choice of vendors to respond to a breach, including legal counsel and data breach service providers
  • Types of monitoring services for the breached population, such as credit monitoring vs. medical identity monitoring

5. Perform a risk assessment. Performing a comprehensive privacy and security risk assessment can help an organization identify, evaluate and mitigate gaps in its security and privacy program.  Lessening those gaps can reduce breach risks and lower exposure if a breach does occur. Having a third party-documented risk assessment on file can help speed up the underwriting process and may even lower insurance premiums. 

6. Find a knowledgeable broker. A broker who understands cyber insurance can break down and compare the offerings from different insurance providers. They often offer value-added services that can help identify and mitigate breach risks, as well as validate the need for a policy. 

7. Take advantage of value-added services offered. Some insurance brokers and carriers offer complimentary value-added services to help reduce breach-related risks: free consulting or legal advice from industry experts, access to a proprietary portal with privacy and security resources, educational webinars, and policy templates. When weighing policy choices, organizations should evaluate these services as part of the overall offering. As a plus, these offerings may help improve a company’s risk profile and and lower its insurance premium.

8. Get preferred vendors approved before the policy is finalized. Cyber insurance policies may require companies to use pre-approved vendors instead of their own service providers, such as legal counsel, when responding to a data breach. Such limitations can impact the quality of a response, for instance, the use of an out-of-the-country call center to manage the breach of sensitive medical data. We recommend companies negotiate the right to use favored vendors or select their own vendors before the contract is finalized.

9. Understand how  to integrate insurance claims process with internal breach response. A cyber insurance policy could change the way an organization internally manages data breach incidents. Post binding the policy, companies should understand how and when to involve their carrier if a data breach occurs. This may include updating any documented procedures, such as an incident response plan (IRP) with new roles and responsibilities, revised timeline and current contact information.

10. Avoid common pitfalls with an insurance carrier. This most often happens when the insured does not fully understand the policy, causing a dispute on coverage. For example, the carrier may mandate the use of its pre-approved vendors, while an organization may prefer to use its internal resources or favored vendors.  It’s best to resolve these conflicts before binding the policy.

Evaluating the need for cyber coverage is not a one-person job. Companies should discuss their data breach risks and risk management options cross-functionally, involving leaders from IT, risk management, privacy, compliance and legal departments. Working together, executives can more accurately quantify risks, evaluate options and develop a cost-benefit analysis to determine if cyber insurance is the right investment for their needs.

Read related: "What's Driving the Rise in Data Breaches?"

Read related: "Healthcare Data Breaches: Handle With Care."

Page 2 of 2
About the Author
Rick Kam, CIPP

Rick Kam, CIPP

Rick Kam, CIPP, is president and co-founder of ID Experts, a Portland, Ore.-based provider of comprehensive data breach solutions. He is an expert in privacy and information security, with extensive experience leading organizations to address the growing problem of protecting PHI/PII and remediating privacy incidents, identity theft, and medical identity theft. He is also chairing the “PHI Project,” a seminal research effort to measure financial risk and implications of data breach in healthcare, led by the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with the Shared Assessments Program and the Internet Security Alliance (ISA).  

About the Author
Jeremy Henley, CHPC

Jeremy Henley, CHPC

Jeremy Henley is an insurance solutions manager for ID Experts, a Portland, Ore.-based provider of comprehensive data breach solutions. He is certified by the Healthcare Compliance Association for Healthcare Privacy and Compliance and has 11 years of sales and leadership experience. He regularly speaks at national conferences on the topics of privacy and security preparedness and data breach response and best practices.  

Comments

Resource Center

View All »

Is It Time To Step Up And Own An Agency?

Download this eBook for insight on how to determine if owning an agency is right...

Claims - The Good The Bad And The Ugly

Fraudulent claims cost the industry and the public thousands of dollars in losses. This article...

Leveraging BI for Improved Claims Performance and Results

If claims organizations do not avail themselves of the latest business intelligence (BI) tools, they...

Top 10 Legal Requirements for E-Signatures in Insurance

Want to make sure you’ve covered all your bases when adopting e-signatures? Learn how to...

Get $100 in leads with $0 down!

NetQuote's detailed, real-time leads have boosted sales for thousands of successful local agents across the...

The Growing Role of Excess & Surplus Lines in Today’s...

The excess and surplus market (E&S) provides coverage when standard insurance carriers cannot or will...

Increase Sales Conversion with this Complimentary White Paper

This whitepaper will share proven techniques - used by many of the industry's top producers...

D&O Policy Definitions: Don't Overlook These Critical Terms

Unlike other forms of insurance where standard policy language prevails, with D&O policies, even seemingly...

Environmental Risk: Lessons Learned from Willy Wonka and the Chocolate...

Whether it’s a chocolate factory or an industrial wastewater treatment facility, cleanup and impacts to...

More Data, Earlier: The Value of Incorporating Data and Analytics...

Incorporating more data earlier in claims lifecycles can help you reduce severity payments by 25%*...

Looking for Markets?

Search Kirschner’s Insurance Directory to help service your hard to place risks.

497 Risk Categories | 70,000 P&C Insurance Markets

kirschners
Specialty Markets Insight eNewsletter

Receive updates and analyses on hard to place and challenging coverages. Sign Up Now!

Advertisement. Closing in 15 seconds.