BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Cyber Insurance: 6 Facts You Should Know

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 13 Mar 2014 19:35:06 -0600
http://www.esecurityplanet.com/network-security/cyber-insurance-6-facts-you-should-know.html

Insuring against cyber threats is not exactly a new concept, but most
companies -- two out of every three -- don't have cyber insurance policies.
Despite recent headlines about major security breaches, growth in the cyber
insurance market may actually be slowing.  According to New York-based
brokerage firm Marsh LLC, the number of cyber insurance policies sold in
2012 increased 33 percent compared to 2011 - but grew only 20 percent in
2013.

It's not difficult to understand why. Because the concept of cyber
insurance is relatively new, the market can seem complex and inconsistent.
There has been a significant variance among carriers in their understanding
of technology and cyber security. Cyber insurance policies can be pricey,
too. Some premiums go as high as $35,000 for a $1 million in coverage.
Still, the costs of cyber insurance pale in comparison to those of a major
breach. According to a study by the Ponemon Institute, the average data
breach cost $5.4 million in 2012 -- representing an average $188 per
compromised customer account.

Therefore, it's worth it to at least understand what cyber insurance is all
about - and to what extent it can benefit your organization. Here are six
need-to-know facts about cyber insurance to get you started:

Your Umbrella Policy Is Not Cyber Insurance...

Cyber insurance, being more of a specialty offering, is different from
general liability and professional indemnity insurance. General liability
policies frequently cover basics like physical damage. If a hack, a virus
or even a simple software bug creates a data loss, data breach or server
downtime, your general liability policy might not compensate you for your
loss and costs. Indeed, many insurers specifically exclude electronic
losses from their general policies. Cyber insurance policies, on the other
hand, can and frequently do cover these situations.

...but There May Be Some Redundancies

Sometimes, however, there is some overlap. Data losses as a result of
physical damage to or theft of devices could be covered by some general
policies. Manufacturer warranties also sometimes cover physical damage --
even accidents. In limited situations, a data breach or intrusion as a
result of negligence may even be covered by certain professional errors and
omissions policies. Therefore, it's best to thoroughly review your existing
coverage before going shopping for cyber insurance policies. You can then
ask your insurance agent for a less comprehensive policy in exchange for a
reduced premium.

Not All Cyber Insurance Policies Are Created Equal

Cyber insurance is still considered to be relatively nascent. Despite being
over a decade old, there is not a lot of standardization among cyber
insurance policies. Consequently, a standard policy may include undesirable
exclusions. It is important to assess your organization's needs, go over
your proposed policy carefully, and negotiate with the carrier over terms
that don't fit your needs. What's more, don't hesitate to shop around.
According to L. D. Simmons, a partner in multinational law firm
McGuireWoods LLP, insurance carriers are still struggling to effectively
price the cyber insurance market. Some have a better grasp on cyber
security risks and costs than others; consequently, the swing in premiums
for identical policies from different carriers can be huge.

Cyber Insurance Can -- and Should -- Go Beyond Hacking Protection

Some cyber insurance policies may not reimburse for the costs of data loss.
Others may reimburse only certain types of costs.

In the wake of a number of high-profile hacks on companies like Target,
cyber insurance may be thought of as a measure to take in case of a data
breach or data theft. It is just as important -- arguably even more so --
to be insured against data loss. Just over four years ago, Gartner
published a study in which the company found that 94 percent of companies
that suffered a major data loss went out of business within two years. Of
those companies, more than 45 percent were put out of business
"immediately."

Even a relatively minor data loss can bring huge costs to bear.
Massachusetts General Hospital had to pay a $1 million fine to the US
Department of Health and Human Services when an employee of Partners
HealthCare (the largest healthcare provider in Massachusetts, of which MGH
is a founding member) left the records of 192 patients on a train.

Fortunately, Partners HealthCare had a cyber insurance policy in place that
covered regulatory costs due to data loss. Consequently, MGH was able to
have the fine offset by the policy.

Cyber Insurance Is No Substitute for Good Security...

Just like auto insurance is not a license to drive drunk, cyber insurance
is not an excuse to throw caution to the wind when it comes to cyber
security. Carriers typically require you to have a certain level of
security already in place to qualify for coverage.

In any event, you will be required to provide an assessment of your
organization's current cyber security. The assessment -- typically
conducted by a third-party (unless your business is small enough) --
includes such details as password management, data backup procedures, and
security configurations.

...but It Will Probably Improve Your Security

Obviously, the risk assessment of your security practices will impact not
only your qualification but also your premiums. In this sense, cyber
insurance is inherently likely to improve your cyber security because it
forces you to review your practices - and encourages you to make them
better.

What's more, many carriers will proactively help you secure your data in
addition to insuring it. To help ensure a costly payout won't be necessary,
a number of insurance companies offer risk management services to help
their clientele. These services can include security plan development, data
security training to employees, detailed vulnerability assessments and more.

The value of these services is evident not only from a security standpoint
but also from a compliance standpoint. "Being able to prove that they
weren't negligent could save organizations millions in the long-run,"
explains Jamie Bouloux, a cyber insurance liability executive at AIG. "[I]f
something happens when a client loses data, they can tell the regulator
that they did everything within reason to try to ensure that there was an
environment of security where its employees knew how to handle client
information."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: