Of the many threats that are top of mind for risk managers andthe insurers who help them, cyber attacks and data breachescontinue to receive a lot of attention.

For good reason, according to a recent report,the per-record cost of a data breach reached $154 in 2015, up 12%from $145 the year prior. Additionally, the average total cost of asingle data breach rose 23% to $3.79 million.

Most risk managers understand that it is no longer a question of"if" but instead "when" their company will experience an incident.In fact, according to the Ponemon Third Annual Study on Data Breach Preparedness, only35% of organizations had a data breach or Cyber insurance policy in2015, and many more are now looking to buy policies.

In order to secure the best coverage option, companies must workwith their brokers to evaluate policies, as well as take steps toassess their cyber risks and reduce the overall cost ofinsurance.

Here are three tips for risk managers to keep in mind whenworking with brokers to select a Cyber insurance policy:

Work with your broker

Companies need to properly evaluate policies to ensure they aregetting coverage that meets their risk profile.

Key to this process is working with an insurance broker toconfirm that you're getting the best guidance in this specializedarea. Brokers are knowledgeable about the exposures presented bysecurity incidents and can help you navigate the wide variety ofpolicy options.

In speaking with companies and Cyber insurance brokers who havebeen through the process of buying coverage, these are the keyaspects to look for in a policy:

• Coverage for crisis response services including forensics,legal and data breach resolution partners that are well establishedand are experts in the industry. Often a policy will outline theoutside experts that can be used during an incident, and it'simportant that risk managers and your broader response team arecomfortable with the options. In some cases, companies and brokerscan also negotiate using their own preferred providers, but thisshould be done prior to an incident.
• Coverage for third-party cloud or other IT providers who haveaccess to sensitive information of the covered company. While someof the liability may ultimately lie with the third-party provider,this isn't always the case and could be an area of oversight.
• Risk management services ahead of an incident that can help thecompany more effectively prepare for managing security or privacyincidents. Many policies will offer resources and guidance onincident-response plans and practices that will help the companyprepare for an incident. Some will also take companies ordepartments through a cyber-security drill to help them betterprepare.

Overall, be sure to obtain a top quality broker that understandsthe coverage landscape and can help you navigate through the rangeof options presented based on an understanding of your company andyour industry.The analysis and decisions should always be conductedunder the guidance of your broker.

Ask smart questions

The early insurers in the Cyber insurance market have beenaround for more than 10 years, but because of the high-profileretail and healthcare breaches over the past 18 months, we haveseen an uptick in new players in the market. Because of theincrease in providers, companies should be sure to ask questionswhen deciding between policies to ensure that they're selectingcoverage best suited for their needs. Questions your broker shouldask insurers include:

• What is the breadth of coverage and what exemptions are in thepolicy? Do they demonstrate a clear understanding of the real risksthis company faces from security threats?
• How much loss experience does the insurer have in this area?Has the insurer paid actual data breach claims and covered otherprevious, major incidents?
• Does the insurer have specific policies that account for therisks or needs of your organization's industry?

Many older generations of Cyber policies contained exclusionsthat would make that coverage noncompetitive in today'smarketplace. It's important to cover all the aspects of a response,both pre- and post-breach, and dig into what's really includedand excluded in a potential future loss.

Reduce your risk

Finally, when looking to shop for a Cyber liability policy withyour broker, doing some due diligence on your cybersecuritypractices ahead of time can be helpful in possibly reducing theprice of a policy or getting terms that are important for yourorganization. Insurers are looking for companies that candemonstrate they have a mature security program that reduces thelikelihood of an incident.

• Have a well-documented data breach response plan in place. Companiesthat have a plan are more operationally prepared and betterequipped to respond in a timely manner. Experian and several otherdata breach experts can provide guidance on response planning,which can be a useful place for companies to start.
• Conduct an annual cyber risk assessment. Once this iscompleted, you can better understand what cyber risk you may wantto cede via coverage, as well as demonstrate your company's strongsecurity practices and technology infrastructure to potentialinsurers. The assessment should be looking at a wide angle of thoserisk exposures such as your weak spots and what you plan to doabout them.
• Provide details about how your organization holds vendors orother third parties that may have access to your sensitiveinformation accountable for implementing the same level of prudentsecurity practices as your own organization. Demonstrating duediligence in managing these relationships will go a long way.

Ultimately, companies will benefit greatly from cyber insuranceif they are informed about their security risks, educated on thevariety of policies available and aware of the coverage they need.Just remember, it is your responsibility to be an educated buyer.Following these three tips when working with your broker can helpensure you get a policy that fits your organization.

Mark Greisiger is president of Gladwyne, Pa.-based cyberrisk assessment and data breach services company NetDiligence.Contact him at [email protected].

Michael Bruemmer, CHC,  CIPP/US, is vice presidentof Dublin-based Experian's Data Breach Resolution group. Contacthim at [email protected].

Related: Is your business prepared for weather and cyberrisks?

Have you Liked us on Facebook?