Is cyber-liability insurance a must have for today’s enterprise? How should an organization go about evaluating adding this type of policy to their other stable of risk management vehicles? Let’s take a look at the current market and a few of the questions that need answers before a company invests in a cyber-liability policy.
Cyber-liability insurance is gaining in popularity as a supplement to Commercial General Liability policies (CGL) and could be a good investment for a business looking to hedge their risk. The ROI for this type of policy would have to be weighed against the business model, the data stored and the potential damages they could incur in the event of a data breach. Companies in the healthcare and financial sectors should seriously consider obtaining one of these policies due to the regulatory burden and potential non-compliance penalties these industries face.
Is the cost worth it?
Currently, the cost of cyber-liability policies are quite low. However, with a record number of data breaches in 2015, the cost of these policies is climbing quickly. However they are still quite reasonable. Based on a small breach of 100,000 client records, an enterprise would pay nearly $50k in postage for sending notification letters alone. Most cyber-liability premiums, based on revenue, size and industry hover between $1500. Large multi-billion dollar firms may pay up around $50,000.
What kind of due diligence does the enterprise need to do when buying/holding a policy? What are the pitfalls?
Completing the application for a cyber-liability policy, with the correct status of your enterprise systems and security, is the critical first step in an effective cyber-liability policy. From a consultant perspective, I have seen quite a few enterprise clients fudge the facts on their cyber-liability policy application. These “creative” responses will come back to haunt the enterprise when they do have a breach and go to report a claim to their insurer. If the insurer finds out that you did not have a breach response plan, data backups, effective privacy and security controls, etc. they may renege on your coverage. This is the number one pitfall and can be the genesis of a costly legal battle between the insured and insurer.
There are some basic steps for effective enterprise due diligence when it comes maintaining your cyber-liability policy. These steps also tie into an effective enterprise privacy and security program. One is to keep your infrastructure (servers, workstations, networking gear) up to date (software patches, hardware refreshes), physical security around critical components, endpoint protection (anti-virus / anti-malware) and user training. Most security breaches gain a toe-hold due an error by the user or malicious user intent. For example, the Target breach was propagated by phishing emails.
There are additional security technical controls that can be implemented to protect data in the cloud. Mobile Device or Mobile Application Management (MDM/MAM) software installed on a user’s mobile device is a good first step in securing and controlling sensitive corporate data in the cloud via a mobile platform.
On the risk management process side, organizations should know what is riding on their network and accessing their applications. With appropriate asset, network, log and mobile device management controls this would be a relatively “easy” process. However certain industries, healthcare and government for example, lacks a certain IT maturity level that other industries take for granted (see Financial). Establishing proper asset management and data management processes and procedures should be a high priority for industries with sensitive information.
What are the most important things to look for in a policy?
Besides the premium, important coverage areas include breach notification correspondence, credit monitoring, regulatory audits, infrastructure remediation, legal representation, breach response and breach damage claims. The average cyber-liability policy is 1 million dollars, which can quickly exceeded based on what the scope of the breach. This is why the enterprise most conduct a risk assessment to know the average true cost they would incur in the event of a data breach.
Based on the feedback I receive from my healthcare clients, many larger organizations are requiring their Business Associates to have cyber-liability insurance before that organization will sign a Business Associate Agreement (BAA). I feel that this will further spur the uptake of cyber-liability policies and make them a must-have risk management tool; at least in the healthcare space.
Let me know your thoughts in the comments below!