Of the many threats that are top of mind for risk managers and the insurers who help them, cyber attacks and data breaches continue to receive a lot of attention.
For good reason, according to a recent report, the per-record cost of a data breach reached $154 in 2015, up 12% from $145 the year prior. Additionally, the average total cost of a single data breach rose 23% to $3.79 million.
Most risk managers understand that it is no longer a question of “if” but instead “when” their company will experience an incident. In fact, according to the Ponemon Third Annual Study on Data Breach Preparedness, only 35% of organizations had a data breach or Cyber insurance policy in 2015, and many more are now looking to buy policies.
In order to secure the best coverage option, companies must work with their brokers to evaluate policies, as well as take steps to assess their cyber risks and reduce the overall cost of insurance.
Here are three tips for risk managers to keep in mind when working with brokers to select a Cyber insurance policy:
Work with your broker
Companies need to properly evaluate policies to ensure they are getting coverage that meets their risk profile.
Key to this process is working with an insurance broker to confirm that you’re getting the best guidance in this specialized area. Brokers are knowledgeable about the exposures presented by security incidents and can help you navigate the wide variety of policy options.
In speaking with companies and Cyber insurance brokers who have been through the process of buying coverage, these are the key aspects to look for in a policy:
- Coverage for crisis response services including forensics, legal and data breach resolution partners that are well established and are experts in the industry. Often a policy will outline the outside experts that can be used during an incident, and it’s important that risk managers and your broader response team are comfortable with the options. In some cases, companies and brokers can also negotiate using their own preferred providers, but this should be done prior to an incident.
- Coverage for third-party cloud or other IT providers who have access to sensitive information of the covered company. While some of the liability may ultimately lie with the third-party provider, this isn’t always the case and could be an area of oversight.
- Risk management services ahead of an incident that can help the company more effectively prepare for managing security or privacy incidents. Many policies will offer resources and guidance on incident-response plans and practices that will help the company prepare for an incident. Some will also take companies or departments through a cyber-security drill to help them better prepare.
Overall, be sure to obtain a top quality broker that understands the coverage landscape and can help you navigate through the range of options presented based on an understanding of your company and your industry.The analysis and decisions should always be conducted under the guidance of your broker.
Ask smart questions
The early insurers in the Cyber insurance market have been around for more than 10 years, but because of the high-profile retail and healthcare breaches over the past 18 months, we have seen an uptick in new players in the market. Because of the increase in providers, companies should be sure to ask questions when deciding between policies to ensure that they’re selecting coverage best suited for their needs. Questions your broker should ask insurers include:
- What is the breadth of coverage and what exemptions are in the policy? Do they demonstrate a clear understanding of the real risks this company faces from security threats?
- How much loss experience does the insurer have in this area? Has the insurer paid actual data breach claims and covered other previous, major incidents?
- Does the insurer have specific policies that account for the risks or needs of your organization’s industry?
Many older generations of Cyber policies contained exclusions that would make that coverage noncompetitive in today’s marketplace. It’s important to cover all the aspects of a response, both pre- and post-breach, and dig into what’s really included and excluded in a potential future loss.
Reduce your risk
Finally, when looking to shop for a Cyber liability policy with your broker, doing some due diligence on your cybersecurity practices ahead of time can be helpful in possibly reducing the price of a policy or getting terms that are important for your organization. Insurers are looking for companies that can demonstrate they have a mature security program that reduces the likelihood of an incident.
- Have a well-documented data breach response plan in place. Companies that have a plan are more operationally prepared and better equipped to respond in a timely manner. Experian and several other data breach experts can provide guidance on response planning, which can be a useful place for companies to start.
- Conduct an annual cyber risk assessment. Once this is completed, you can better understand what cyber risk you may want to cede via coverage, as well as demonstrate your company’s strong security practices and technology infrastructure to potential insurers. The assessment should be looking at a wide angle of those risk exposures such as your weak spots and what you plan to do about them.
- Provide details about how your organization holds vendors or other third parties that may have access to your sensitive information accountable for implementing the same level of prudent security practices as your own organization. Demonstrating due diligence in managing these relationships will go a long way.
Ultimately, companies will benefit greatly from cyber insurance if they are informed about their security risks, educated on the variety of policies available and aware of the coverage they need. Just remember, it is your responsibility to be an educated buyer. Following these three tips when working with your broker can help ensure you get a policy that fits your organization.
Mark Greisiger is president of Gladwyne, Pa.-based cyber risk assessment and data breach services company NetDiligence. Contact him at firstname.lastname@example.org.
Michael Bruemmer, CHC, CIPP/US, is vice president of Dublin-based Experian’s Data Breach Resolution group. Contact him at email@example.com.
Have you Liked us on Facebook?