Cyber Insurance – Predicting the Unpredictable
Cyber criminals do not care who they steal from, and predicting their next target is next to impossible. It could be someone with the large healthcare database, like Anthem. Or another big retailer, like Target. Or one of the local organization with lax security measures. The truth is, nobody has the crystal ball. Breaches have occurred in organizations of all sizes and in all industries, from retailers to hospitals, to government organizations. As long as your company stores sensitive information electronically, you are not immune from the hackers’ reach.
As with anything else in life, to protect yourself from the unpredictable events, most organizations rely ono insurance services. Cyber liability insurance has been around for more than 10 years, with a recent upsurge in demand. According to Marsh, an insurance brokerage and risk management company, the purchase of cyber liability policies showed a 32% increase among their clients between 2013 and 2014.
Those numbers are not surprising – it is becoming more and more risky for organizations to run their businesses without insuring themselves against cyber risks. It is especially true for small and mid-size companies which can be easily ruined because of a single data breach. According to Ponemon Institute and IBM, the average cost of a data breach in 2015 was $3.8 million. How many small companies can easily afford to this type of expense? These costs only represent the average costs not a worst case scenario. In 2014, the costs for the most expensive data breach amounted to about $31 million, and the least expensive was estimated to be around $750,000.
It is easy to see why a company would want to purchase a cyber liability insurance policy. According to Ponemon Institute and IBM, the current number of companies with cyber liability insurance in the US is about 8%, and the number is growing fast.
Typical Damages of an Electronic Data Breach
Cyber breaches can occur in a million different ways – from criminals hacking into the system, to employees losing unprotected hard drives, or emailing unprotected sensitive data to the wrong recipient. In the end, no matter how a breach occurred, the consequences are costly, and the damages can take a long time to recover from.
Some of the typical tangible costs incurred due to cyber breaches include the following:
- Notification expenses – if your customers’ data was compromised in any way, your duty is to notify your customers. It could include preparing and mailing notices, and designating someone to answer any potential customer inquiries.
- Credit alert services – to ensure that the breached customer data is not used for fraudulent purposes (fake identities, unauthorized purchases, etc.), organizations need to allow customers with compromised data to have free access to their credit reports. The typical length of time during which customers can monitor their reports is 12 months.
- Legal costs – in the unfortunate case of a lawsuit over the breached data, organizations need to have funds set aside for possible judgments and settlements.
- Investigation expenses – in order to figure out how did the breach occur, who was responsible, and what can be done to prevent it in the future, organizations need to hire a team of forensic experts to analyze the circumstances of the breach.
- PR costs – organization may need to involve a PR firm to attempt to repair damages done to their reputations. Typical actions may include issuing statements, doing interviews, and other similar activities.
- Interruption of daily business activities – many organizations find it difficult to continue doing business as usual right after a breach, which can lead to lost customers and diminished revenue.
Who Can Benefit from Cyber Insurance the Most?
A company of any size in any industry can benefit from acquiring a cyber insurance policy. However, the smaller the company, the more vulnerable it is to cyber breaches, with more severe long-term consequences. Considering that the average breach costs $3.8 million, smaller organizations can be ruined from the consequences of a single breach.
Cyber insurance can cover many expenses associated with cleaning up cyber breach damages. However, it is important to remember no insurance can restore corporate reputation (although it can pay for PR efforts to do so), and no insurance can pay for future revenue loss.
How to Evaluate a Cyber Insurance Policy?
Cyber liability insurance can be purchased as an add-on to other policies, such as standard property insurance. It can also be acquired as a stand-alone policy with customizable features tailored to the needs of your business.
Cyber liability insurance premiums can vary greatly. They depend on the company’s industry, its current security protocols, annual revenue, and potential data risks. Since each insurance company has its own way of assessing cyber insurance risks, annual premiums vary significantly. They can range from under $1,000 to well over $100,000, with typical policies paying out anywhere between $1 million and $20 million, in the event of a breach.
While stand-alone policies are infinitely customizable, standard add-on policies are very rigid. They are also rife with coverage gaps and exclusions. Some of the top exclusions businesses need to pay attention to include the following:
- Government or regulatory body violations – cyber liability policies can’t be used to recover damages associated with non-compliance with government regulations. Regulations vary greatly from industry to industry, and it is essential to create a solid system to ensure compliance with all applicable laws and regulations. Some of the common requirements include sensitive data encryption and timely customer notifications in the event of a breach.
- Third-party breaches – if an organization entrusts its data to a third-party provider (such as a hosting partner), and the provider’s network ends up getting breached, most insurance companies will deny the claim. In such cases, the third party provider should carry insurance to protect itself from cyber breaches. The only solution here is to work with reputable third parties with proper security procedures in place. If you are using a hosting partner, your agreement should clearly spell out what kind of preventive measures they have in place, and what are their responsibilities in the event of a breach. They
- Breaches which occurred before the policy was in place – some breaches can take months, or even years to uncover. Most policies only pay for breaches which occurred and were discovered when the policy was active.
- Business email compromise-type breaches – one of the latest trends, business email compromise (BEC) scams are also often excluded from cyber insurance coverage. BEC scams use deception to coerce an unsuspecting victim (such as a real estate buyer) to transfer money into the wrong account (belonging to the criminal, rather than a legitimate party). Since the transfer is done voluntarily (even though the victim was deceived by the criminal), most insurance companies will deny such claims. There are only two ways how businesses can protect themselves from BEC scams. They can implement an employee training program to minimize the possibility of breaches, and introduce a secure email communication strategy, requiring recipients to authenticate themselves. If an employee inadvertently responds to a BEC email, the criminal would not be able to gain access to the data due to the lack of proper authentication credentials.
- Unencrypted data – if a company fails to encrypt sensitive data, and the data gets stolen, many insurance companies will deny the claim, citing that the company failed to put reasonable security measures in place to protect their data. In a way, it is a reasonable request, since encryption of sensitive data is also one of the requirements for compliance with many federal, as well as many state regulations. Implementing a user friendly secure email system which ensures data in transfer is protected is essential. This will enable organizations to comply with regulations, as well as protecting themselves from coverage gaps of their insurance policies.
Reducing Risks of Cyber Breach Liability
Many organizations think cyber liability insurance is the only thing they need to protect themselves from the harsh consequences of cyber breaches. Unfortunately, it is not always this simple, especially since most policies have significant coverage gaps.
The best protection, of course, is to try to minimize the main risks associated with cyber breaches. Improving data security, and devising a strong data protection program should help deter some opportunistic hackers. However, for most companies, it is really a question of when, rather than if they are going to get hacked.
While it is impossible to completely prevent a cyber breach, it is possible to protect your data. Data encryption is the most cost-effective method of shielding your own, and your customers’ data from hackers, unscrupulous employees, and other sources of data leaks.
Data encryption is valuable because it protects you from standard cyber liability insurance gaps, since many policies specifically exclude unencrypted data from coverage especially data being emailed. It also helps you comply with federal and state regulations. For example, such regulations as HIPAA, GLBA, and multiple state laws require organizations handling sensitive customer data to encrypt it at rest, and in transit. In addition, encryption helps authenticate senders and receivers, reducing the chances of your employees ending up victims of phishing, or business email compromise scams.
There is no way to predict which companies are going to get attacked next. Being prepared is the only thing you can do to protect yourself, and your company’s reputation. Purchasing cyber liability insurance, and adopting strong security measures, including encryption of data, is going to significantly reduce the risk of your business headlining the data breach news.
Todd Sexton is President and CEO, Identillect Technologies
Latest posts by Todd Sexton (see all)
- Pokemon GO and Your Privacy - September 2, 2016
- Technology is Moving, Are You? - August 1, 2016
- Cyber Liability Insurance – A “Nice to Have” or a “Must Have”? - July 26, 2016