by Michael Bruemmer
With high-profile data breaches making the news almost daily, cyber security is a hot topic in the C-suite. And not without substantiated cause.
The Computer Security Institute, a well-known trade association, found that two out of five companies experienced a cyber security issue within a 12-month period. Other studies, such as the Chubb 2012 Public Company Risk Survey, found that cyber risk was the No. 1 concern of respondents.
So why is it that only one third of companies surveyed by Advisen, a research group, say they’ve purchased a cyber insurance policy?
It could be because companies and organizations are struggling to find a balance between hiring extra computer security professionals and spending money on additional insurance. But that’s about to change with new technology and stricter regulations coming down the pike.
Experts believe cyber insurance sales will boom in the next 12-to-24 months, especially in the medical industry, where physicians, hospitals and healthcare organizations are moving toward the adoption of electronic health records.
In light of National Cyber Security Awareness Month, which is in October, I decided to review some of the common pitfalls to avoid if your company or organization plans to purchase cyber insurance.
1. Not completely understanding the coverage and its costs
Shopping for cyber insurance can be tricky, as the product continues to evolve and there’s no standard, one-size-fits-all policy. You should thoroughly understand your general liability policy so you know where your current insurance leaves off and where the cyber policy can pick up. It may be a good idea to contact an experienced insurance broker who understands cyber insurance and can help you weed through the verbiage to decipher different policies.
A cyber policy premium can cost anywhere from a few thousand dollars for a $1 million policy to hundreds of thousands for policies in the tens of millions.
2. Choice of vendors
Don’t get caught off guard with a policy that requires you to use pre-approved vendors to respond to a data breach. This could include attorneys, computer forensic experts, data breach resolution firms and public relations consultants.
Some insurance companies require the use of their pre-approved vendors, while you may want to respond to the breach in-house or use your own consultants. The best way to avoid this pitfall is to get your own vendors pre-approved before you sign a cyber policy.
3. Third-party contractors
Data breaches, especially in the healthcare industry, are often caused by third-party contractors who are handling your clients’ personal identifying information. This can range from medical billing companies to human resources and payroll vendors.
In fact, six out of 10 medical data breaches are caused by third parties, according to the federal Department of Health and Human Services. As a result, it’s of the utmost importance to make sure that your cyber policy covers breaches caused by third-party contractors.
4. Non-technical data breaches
Although they’re becoming less common, paper breaches still do occur. There are still cases of “dumpster diving,” where thieves steal names and other identifying information from the trash.
Or there are incidences where an associate, especially a disgruntled or departing employee, will steal information about your clients. In any case, it’s wise to include coverage of non-technical breaches.
5. Portable devices
Most cyber policies should cover data breaches caused by lost or stolen laptops. But with the increased usage of tablets, smart phones and flash drives, you should make sure your policy covers data stored on all portable devices.
A comprehensive cyber insurance policy should include:
- First- and third-party coverage
- Data breach resolution costs, including a breach resolution specialist, notification costs and call center expenses
- Computer forensics expenses
- Legal fees
- Public relations and crisis management expenses
- Credit monitoring and identity theft protection
- Breach of non-disclosure agreements
- Data stored on portable devices
- Data stored on the cloud
- Data stored offline (on paper)
- Business interruption and data restoration
- Cyber extortion
Cyber insurance is becoming a necessity for any company or organization that handles personal identifying information, financial information or health records of consumers. And because the expenses of a breach can be so high, it’s wise to research and shop around for the most comprehensive cyber policy at the best price. It’s also wise to enhance your computer security systems and educate everyone in your organization on precautions they can take to try and prevent a breach.
This article was written by Michael Bruemmer and originally published on corporatecomplianceinsights