« A culture of entitlement | Main | Bonanza for local governments or savings for taxpayers? »

Cyber insurance advice

Dave Nelson, CISSP is president and CEO of Integrity. 

 Cyber insurance

Let’s start 2016 off with a bit of advice for any company or non-profit organization who uses technology.  You should purchase cyber insurance this year. In today’s world of high profile cyberattacks, a few things have become crystal clear.  irst, it’s not if you will suffer a cyberattack, it’s when. Second, data breaches occur at companies of any size and in any industry. And finally, no matter how much you spend on information security a breach will be costly.

Just as when purchasing insurance to protect any other asset, it’s a part of a risk mitigation strategy. You can’t simply buy insurance and take no other precautions. Insurance is designed to limit your exposure to loss after a series of other steps have been taken. 

The question is, what kind of cyber insurance is right for you? Let’s look at some of the coverage options available today.  Every carrier is different and these policies are nowhere near standardized like general liability, auto, life, or home policies. Each carrier may call their coverage something different but you need to understand what is covered and what is not.

Network Security

This type of policy typically will cover the costs associated with the downtime and clean up from network security issues such as a virus outbreak. You need to read carefully because this may not cover actual hacking attacks.

Incident Response

This policy will cover the costs for a security expert to lead the effort to assess the data breach, coordinate the reaction plans, document remediation, and work with law enforcement on your behalf or interface with regulatory agencies. Having an expert lead incident response usually results in quicker resolution. They often provide a more complete assessment of the true cause of the breach, can help suggest remediation actions, and provide counsel during and after the incident.

Digital Forensics

Knowing you suffered a breach is one thing.  Discovering how it happened, the depth and breadth of the breach, or discovering other existing breach points is another thing.  Digital forensic coverage will cover the costs to fully investigate the incident and discover any additional threat actors in your environment.

Remediation Efforts

Some policies will only cover the costs to stop the active breach.  While that certainly helps, it doesn’t mean that same attack vector will not be used in the future.  A policy that covers at least a portion of the costs to fix the problem can be helpful.

Breach Notification

Notifying clients that a breach has occurred is required by state breach notification laws, HIPAA and many international laws. This type of coverage will pay for the costs associated with identifying the affected parties and notification of the victims according to any regulatory requirements.

Credit Monitoring

Providing credit monitoring or other post-breach assistance to victims is often a common way to buy goodwill with your affected customers. This policy will cover these costs.

Legal Defense

Many data breaches end up in some form of litigation. Either between you and a vendor, you and a client, you and a regulatory body, or you and just about anyone. Policies vary on how and to what extent the insurance carrier will defend you in litigation. 

This is just the tip of the iceberg in terms of cyber liability insurance. This is still a relatively new field and due to significant losses to insurance carriers, they are scrambling to create policy limits and exclusions to limit their losses.  Most general liability policies now explicitly exclude any coverage for network and information security related issues, thereby forcing you to purchase coverage for this inevitable loss.

It’s imperative that you discuss cyber insurance with a broker who is well versed and specializes in cyber coverage. A vast majority of the brokers today are inexperienced in dealing with cyber insurance due to its relative newness in the marketplace and the ever changing products offered by carriers.

One last word on why you should buy cyber insurance. You may have the staff and expertise to deal with a data breach internally, but the time spent by your internal resources responding to a breach is not covered by insurance.  Your team is taken away from their daily jobs to address the breach, leaving other important tasks on the back burner for days, maybe even weeks.  Cyber liability insurance typically only covers the costs for external parties to address the breach. It is important to ask yourself if having insurance that covers the cost of external help will outweigh the costs of internal resources being pulled away to handle the incident.

Dave Nelson is president and CEO of Integrity. Dave Nelson 2015 IowaBiz Blog

Email: dave.nelson@integritysrc.com

Twitter: @integritySRC | @integrityCEO

Website: integritysrc.com

Comments

The comments to this entry are closed.

« A culture of entitlement | Main | Bonanza for local governments or savings for taxpayers? »

Technorati Bookmark: Cyber insurance advice

This site is intended for informational and conversational purposes, not to provide specific legal, investment, or tax advice.  Articles and opinions posted here are those of the author(s). Links to and from other sites are for informational purposes and are not an endorsement by this site’s sponsor.