by April Runft
“Hoping for the best, prepared for the worst, and unsurprised by anything in between.” — Maya Angelou
Businesses are advised to insure themselves against all sorts of dangers, however unlikely. Cybersecurity has joined the ranks of acknowledged business vulnerabilities. That vulnerability is particularly strong among corporations who house confidential customer data as a matter of course, like health providers—and it’s also top-of-mind for law firms, who often hold their clients’ most sensitive business and personal information.
Insurance policies for cybersecurity have been around for the past decade, but they’ve picked up steam over the last five years as these groups seek to assuage their fears around data breaches.
Knowing this, we decided to investigate—unabashedly asking the rookie questions about cyber insurance so you don’t have to.
Aren’t retail and healthcare the only industries that really have to worry about a breach (and therefore, insurance coverage)?
Retailers and healthcare companies are top candidates for cyber insurance coverage because they deal extensively with customers' financial and private information, but they aren't the only ones at risk. If your company employs error-prone humans, cyber risks apply to you (see next question)—even if you’re confident in your cybersecurity protocol.
“People are often hesitant to pursue a policy if they have a strong cybersecurity system in place,” said Erica Rangel, a broker at RT Specialty, a wholesale distributor of specialty insurance products and services. “But insurance isn’t a replacement for a strong system—it’s meant to enhance it.”
This article, written by Sean Cooney of Keesal Young & Logan, takes an in-depth look at how these policies can combine with other cybersecurity protocols to combat some of the most common cyber threats facing today’s enterprise.
What are the top sources of data breaches?
We can lump causes into three main buckets: external threats, internal threats, and carelessness.
Privacy Rights Clearinghouse, a resource organization for US data privacy, has been tracking the 5,325 publicly reported data breaches in the US since the organization’s inception. According to a recent report, the three most common causes of data breaches are currently hacking, portable devices (lost, discarded or stolen), and unintended disclosure (sent to the wrong party or posted publicly on a website), accounting for nearly 70 percent of known incidents.
Physical loss of non-electronic records (think: a file folder is forgotten on a bus) and insider activities (when someone with legitimate systems access intentionally breaches the system) adds another 22 percent.
It’s interesting to note that payment card fraud incidents, like “skimming” from an ATM or cashier station, account for just 1.2% of data breaches, though they seem most prevalent in the news.
Do we need cyber insurance if our data is in the cloud?
Yes, your company should have its own insurance policy. Software-as-service (SaaS) vendors generally have their own cyber insurance, but those policies only cover them. Also, while SaaS vendors are highly motivated to take reasonable steps to protect your data, their contracts often limit their liability.
How much does cyber insurance cost, and what does it cover?
Policy sizes and premiums vary and are driven by two major factors: revenue and record count.
Record count refers to the number of individuals who would need to be notified in the event of a breach. Annual policies can range from $1 million in coverage (at a cost of about $1,000) up to $100 million for large organizations. Policies typically cover two main costs:
Third-party loss. Protection for any claims made against the company by impacted parties (e.g., if further identity theft occurs as a result of a data breach)
First-party expenses. This may include out-of-pocket costs for things like:
Forensics services to determine the existence and scope of a breach
Notification costs to send physical or electronic notices to impacted parties (mandates on who must be notified and when vary by state)
Credit monitoring for impacted parties
Crisis management and public relations expenses
Extortion payments (in the event of a cyber terrorism event)
Erica estimates there are about 30 different vendors offering cybersecurity insurance coverage.
“A few years ago, companies were just kicking the tires,” she said. “But now coverage is becoming a no-brainer.”
What is the application process like?
Here’s an example of what a cyber insurance application will ask for:
General company information: Location, description, number of employees, date established, URLs, revenue data, and so on are required. Other questions include: Who from your company will serve as the main point of contact for this insurance policy (“authorized officer”)? Who would manage a response to a breach situation (“breach response contact”)?
Management of privacy exposures: Do you have a chief privacy officer, and company-wide privacy and identity theft protection policies? Do you accept credit cards?
Computer systems controls: Do you have a chief security officer? Do you train employees on your information systems? Do you have disaster recovery, business continuity, and incident response plans in place? Who are your primary vendors for anti-virus, firewall, ISP, and intrusion detection?
Website content controls: What kind of web content do you produce? Do you have a plan to respond to allegations of damaging content? Any prior complaints about trademark infractions?
Prior insurance: Do you have insurance to cover media, privacy, or network security exposures? Ever had such a policy declined or canceled?
Prior claims and circumstances: Have you experienced a breach before?
Whose responsibility is it to procure a cyber insurance policy?
“Members of upper management—typically the CEO or president—along with IT department reps, tend to initiate the process of securing an insurance policy,” said Erica. “Boards of directors are often involved, too, given their directive to protect companies’ best interests.” Of course, if a company has a general counsel, chief security officer, and/or compliance officer, those personnel may als