Insurance companies are getting tired of footing the bill for corporations who continue to get breached. Frequently, the result of these breaches are a result of either weak policies or someone not following the policies that are put in place. Let’s face it, people are the weak point in most security plans, and the problem isn’t solving itself anytime soon.
The result is that your insurance company is getting into the security business to make sure that the people they insure are not a risky investment. This may be covered in your professional errors & omissions insurance, but more and more customers are asking anyone who handles customer information, patient data, service providers or PII data to provide what is called “cyber liability insurance.”
Examples of Cyber Liability Insurance
Let me do a little education on what cyber liability insurance would cover for you. The policy you have will determine what it covers, but some good examples of what a typical policy covers are outlined below:
- Coverage for legal fees and computer forensic costs in the event of a security or privacy breach
- Regulatory fines and penalties included under Security Event Costs and PCI assessment coverage available by endorsement
- Customer notification expenses include legal expenses, credit monitoring, postage and advertising
- Comprehensive interruption expenses coverage, including income loss
- Coverage for damages to third parties caused by a breach of network security
- Definition of claim includes a demand for monetary and non-monetary damages
The next part of the policy will be “first-party costs,” which include the costs to the insured organization (you) and are related primarily to restoring computer functionality, business interruption costs and forensic investigations. Here are some examples:
- Loss of digital assets coverage
- Non-physical business interruption and extra expense
- Cyber extortion
- Cyber terrorism
- Security event costs
Finally, there are “third-party costs,” which include fees paid to retained specialists for services related to litigation, responding to regulatory investigations and requirements, governmental inquiries, credit monitoring for impacted customers, public relations, notices and communications to consumers, customers, and other third parties, and other liability management issues related to the data breach. Here are a few examples of
those:
- Network security and privacy liability
- Employee privacy liability
- Electronic media liability
Why Cyber Liability Insurance is Important
When you have had a breach and you have to start notifying all of your customers, provide them with free credit monitoring, etc., it is your insurance company that is paying a lot of the bill; not to mention, all of the fees involved in the actual investigation. There are some great companies that specialize specifically in this area, such as Halock Security Labs, that can help you with your investigation.
When you have a breach, and chances are you will, you will be happy that you have spent the time to get the proper cyber liability coverage. According to the Experian 2015 Data Breach Forecast, almost half the organizations they spoke to had a security incident within the last year. However, there’s a catch: insurance companies have found that a company’s security posture is a good measure in terms of how much of a risk they are to insure. Because of this, you are seeing a shift in the industry requiring customers to have to prove they are secure to their insurers, and how well they score determines what they pay for their annual costs. Customers that continue to do the following things are seeing their rates increase and may soon find themselves uninsurable:
- Sharing accounts
- Not having users perform actions as themselves
- Not enforcing least access privilege
- Not having an audit trail of what administrators and application owners do on their systems
- Not utilizing multi-factor authentication (MFA)
I have seen many Technical E&O (errors & omissions) policies include a coverage exclusion for failure to maintain software and/or hardware to industry best practices standards. Those policies usually include questions in the application process detailing data security practices. Those applications become a warranty and part of the policy. Therefore, if a company does not have or implement the required standard, their coverage may be voided.
Most carrier applications now have questions regarding vendors or services used to implement best practices or audit network security. Answers provided allow underwriters to review the procedures, make some risks more attractive than others and allow for more competition and potentially better terms and conditions and lower pricing.
Most insurance policies now require prompt reporting of breaches, whether or not a claim is made. The insurance company wants the insured to take advantage of all resources (forensics, crisis management, etc.) that may be either a benefit offered by the carrier or warranted by the insured to help mitigate losses.
Furthermore, having an incident response plan in place and designating a team to execute that plan prior to a breach contributes significantly to mitigating data loss, the corresponding fraud and identity theft that follow an unauthorized breach of data.
The most effective way to purchase cyber security insurance is after an enterprise has created and implemented an incident response plan, along with the other components of a comprehensive information security plan, so that they better understand what their insurance needs are and can enjoy lower rates because they have adopted best practices.
Learn about how Centrify can secure your enterprise here.
Secure Thinking by Tom Kemp
