There’s been a myriad of articles outlining the benefits of cyber liability insurance following the well-publicized data breaches of Target, P.F. Chang’s, JPMorgan Chase, eBay, Home Depot and hundreds of other organizations. While most people know that cyber liability insurance pays for claims following a loss, many overlook the benefits to an organization prior to a breach and even in absence of a data breach. This will not only reduce the odds of having a data breach, but should a breach occur, having coverage could meaningfully reduce potential damages and regulatory exposure.
Here are five areas to consider when reviewing cyber liability with insureds.
Training and Compliance
We know from many reports, such as the annual Ponemon Institute Annual Cost of Data Breach Study, that employees are a leading cause of data breaches. One way to improve a cyber liability risk profile is to train employees how to properly handle private information. Some insurers provide a solution that not only helps train employees, but also monitors progress, tracks completion by every employee and generates a report that can be used for many purposes.
Having a high completion rate can be critical following a breach in conversations with the many regulatory agencies that will investigate. There is a direct correlation between an organization’s negligence prior to and during a breach and the magnitude of the possible regulatory fines and penalties. Privacy attorneys say their discussions with regulators are far more pleasant when they can quickly demonstrate a breach stemmed from an honest mistake rather than negligence or indifference.
Insurers have partnered with well-known security firms to help assess the strength of network security. These firms can provide vulnerability scans, Internet traffic tracking, and penetration tests. This shouldn’t be viewed as a threat to the competence of an IT department, but rather an additional assessment that’s free. Typically the results are not shared with the insurance company. Insurers benefit by knowing that their clients are using high quality vendors to protect their networks and reduce the odds of a loss.
Risk Management Portals
Most insurers offer risk management content from highly specialized vendors on a web portal specifically for the use of the insurance buyer. These portals typically contain sample privacy policies for websites and employee handbooks, data breach examples, loss calculation tools, FAQs, vendor due diligence assistance, risk management tips, news articles and claim contact information.
Some insurers will provide access to both legal and IT professionals to ask questions about incidents that may constitute a breach. With multiple federal regulations and 47 out of 50 states having their own privacy regulations, it is often hard to discern if an event is material enough to disclose to regulators or the individuals whose personally identifiable information (PII) and personal health information (PHI) was potentially compromised. Every legitimate breach needs to be disclosed in accordance with the applicable regulation, but some events do not need to be disclosed. The disclosure of an event that doesn’t constitute a breach can lead to regulatory attention as well as reputational harm.
Often included with cyber liability policies is a roadmap of what to expect in the event of a breach, including a “breach coach” that coordinates all the players on an insured’s behalf. Among the players: a forensic security vendor, law firm (protecting the process with attorney client privilege), public relations professionals, notification firms, credit monitoring firms, identity restoration firms, insurance company claims contacts, PCI compliance experts, forensic accountants and call centers. Many risk managers buy cyber liability insurance just to get the prepackaged “SWAT” team.
With cyber liability insurance policies, insureds get a two-for-one deal – an insurance product that may cover financial losses and expenses associated with a data breach, and a host of services that help lower the risk profile.
About David Lewison
Lewison is the financial services national practice leader for AmWINS.