Companies tap into cyber insurance to manage business risk

Coverage should be included in security toolbox

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Man­ag­ing cyber risks in the Infor­ma­tion Age is some­thing busi­ness­es of all sizes must deal with. Part of risk man­age­ment is insur­ance lia­bil­i­ty cov­er­age. Third­Cer­tain­ty recent­ly spoke with Shawn E. Dougher­ty, direc­tor of cyber com­mer­cial lines prod­uct devel­op­ment at ISO Insur­ance Pro­grams and Ana­lyt­ic Ser­vices, to dis­cuss this landscape.

3C: Why do com­pa­nies need to at least look into cyber insurance?

Dougher­ty: Cyber insur­ance is a risk man­age­ment tool. Many stand-alone cyber insur­ance pro­grams avail­able in the mar­ket­place today pro­vide both first- and third-par­ty cov­er­ages designed to pro­tect you from the many expens­es asso­ci­at­ed with a data breach.

Info­graph­ic: Busi­ness­es look to insur­ance indus­try to pro­vide cyber safe­ty net

These expens­es can include, among oth­er things, the costs of inves­ti­gat­ing the inci­dent; noti­fy­ing affect­ed par­ties about the breach; restor­ing lost data; hir­ing a pub­lic rela­tions firm; and offer­ing cred­it mon­i­tor­ing for the vic­tims of the breach.

Busi­ness income, extra expense cov­er­age, and cov­er­age for the costs asso­ci­at­ed with extor­tion threats—ransom pay­ments, for example—also are com­mon­ly avail­able. With respect to cyber lia­bil­i­ty expo­sures, web­site pub­lish­ing lia­bil­i­ty (e.g., infringe­ment of another’s copy­right, trade­mark, ser­vice mark, slo­gan, etc.) and pro­gram­ming errors and omis­sions lia­bil­i­ty cov­er­ages also are wide­ly available.

3C: What’s impor­tant to know about the cur­rent state of cyber insur­ance products?

Dougher­ty: Cyber insur­ance has been avail­able in the mar­ket for about 10 to 15 years, but it is still in its infan­cy. Cur­rent­ly, most of the car­ri­ers who sell cyber insur­ance gen­er­al­ly do so using their own pro­pri­etary insur­ance forms. Many of these cyber insur­ance poli­cies have been updat­ed over the years to now include many types of coverages.

Even so, it is impor­tant to note that pol­i­cy-spe­cif­ic terms, con­di­tions, def­i­n­i­tions and exclu­sions can and often do vary among dif­fer­ent car­ri­ers. For instance, two dif­fer­ent com­pa­ny cyber insur­ance poli­cies might pro­vide secu­ri­ty breach cov­er­age, each with dif­fer­ent def­i­n­i­tions of what con­sti­tutes a cyber inci­dent. Depend­ing on the cir­cum­stances of a poten­tial claim sce­nario, the claim might be cov­ered under one pol­i­cy and not cov­ered under the other.

Three-part series: Despite bar­ri­ers, cyber insur­ance catch­es on in key sectors

3C: A lot to watch out for.

Dougher­ty: The bur­den is on you, as the insured, to com­pare each of the poli­cies you are con­sid­er­ing pur­chas­ing to deter­mine the expo­sures that may be cov­ered and those that aren’t.

As the cyber insur­ance mar­ket con­tin­ues to mature, cyber insur­ance like­ly will become more stan­dard, just like some of the more tra­di­tion­al com­mer­cial lines insur­ance pack­age pro­grams, such as com­mer­cial gen­er­al lia­bil­i­ty and com­mer­cial property.

3C: Is cyber insur­ance real­ly worth it?

Dougher­ty: It seems that hard­ly a week goes by with­out the next “largest-ever” data breach affect­ing mil­lions of con­sumers being fea­tured in the news. The results of one recent study found that close to 70 per­cent of busi­ness­es have been hacked in the past 12 months. It also seems that no busi­ness is safe—in 2015 alone, retail oper­a­tions; health care facil­i­ties; col­leges and uni­ver­si­ties, even the fed­er­al gov­ern­ment report­ed­ly have suf­fered data breaches.

In sim­ple terms, busi­ness own­ers need to com­pare the poten­tial costs asso­ci­at­ed with deal­ing with a data breach naked—that is, with­out cyber insurance—versus the costs of pur­chas­ing a cyber insur­ance policy.

3C: What are the caveats?

Dougher­ty: I would encour­age all busi­ness­es to per­form a thor­ough cyber expo­sure analy­sis to deter­mine the firm’s poten­tial cyber expo­sures, if any, and its need—or lack thereof—for spe­cif­ic cyber cov­er­ages. Vir­tu­al­ly every com­mer­cial busi­ness faces some expo­sure to cyber loss­es. To what degree varies com­pa­ny to company.

Secu­ri­ty & Pri­va­cy Week­ly News Roundup: Stay informed of key pat­terns and trends

3C: What if my com­pa­ny already has pur­chased cyber insurance?

Dougher­ty: Busi­ness­es today should not pur­chase a cyber insur­ance pol­i­cy and then rest on their lau­rels. It often takes more than a cyber insur­ance pol­i­cy to pro­tect them.

Com­pa­nies need to be dili­gent and con­tin­u­ous­ly mon­i­tor their cyber expo­sures and safe­guards. This includes keep­ing their com­put­er sys­tems up-to-date and stay­ing on top of their poten­tial vul­ner­a­bil­i­ties and threats.

The company’s senior man­age­ment team should work with staff to devel­op and imple­ment best prac­tices for data asset man­age­ment, includ­ing imple­ment­ing and fol­low­ing data col­lec­tion, reten­tion and dis­pos­al poli­cies. Staff train­ing is a crit­i­cal com­po­nent of this plan. Staff should be trained and con­tin­u­ous­ly remind­ed about actions to take and steps to fol­low if they sus­pect a data breach has occurred.

3C: Any­thing else?

Dougher­ty: I would strong­ly encour­age orga­ni­za­tions to become edu­cat­ed about cyber expo­sures and to work with their agent or bro­ker to iden­ti­fy and help ana­lyze the firm’s poten­tial cyber loss exposures.

Keep in mind that the size of your firm does not nec­es­sar­i­ly indi­cate the need—or lack, thereof—for cyber insur­ance. There are many exam­ples of small- to mid-size busi­ness­es that have a greater cyber expo­sure than per­haps a much larg­er com­mer­cial firm. One of the unusu­al things about cyber—it knows no bound­aries, and a small busi­ness poten­tial­ly can col­lect much more con­fi­den­tial infor­ma­tion than a much larg­er firm.

More on cyber insurance:
Not all cyber insur­ance is cre­at­ed equal: Tips for busi­ness­es shop­ping for coverage
Cyber insur­ance ris­es to meet increas­ing secu­ri­ty challenges
Cyber lia­bil­i­ty insur­ance for SMBs debated

Posted in Q&A