5 Tips for Clients to Consider When Buying Cyber Liability

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.insurancejournal.com/magazines/features/2014/11/17/346566.htm

There’s been a myriad of articles outlining the benefits of cyber liability
insurance following the well-publicized data breaches of Target, P.F.
Chang’s, JPMorgan Chase, eBay, Home Depot and hundreds of other
organizations. While most people know that cyber liability insurance pays
for claims following a loss, many overlook the benefits to an organization
prior to a breach and even in absence of a data breach. This will not only
reduce the odds of having a data breach, but should a breach occur, having
coverage could meaningfully reduce potential damages and regulatory
exposure.

Here are five areas to consider when reviewing cyber liability with
insureds.

Training and Compliance

We know from many reports, such as the annual Ponemon Institute Annual Cost
of Data Breach Study, that employees are a leading cause of data breaches.
One way to improve a cyber liability risk profile is to train employees how
to properly handle private information. Some insurers provide a solution
that not only helps train employees, but also monitors progress, tracks
completion by every employee and generates a report that can be used for
many purposes.

Having a high completion rate can be critical following a breach in
conversations with the many regulatory agencies that will investigate.
There is a direct correlation between an organization’s negligence prior to
and during a breach and the magnitude of the possible regulatory fines and
penalties. Privacy attorneys say their discussions with regulators are far
more pleasant when they can quickly demonstrate a breach stemmed from an
honest mistake rather than negligence or indifference.

Network Testing

Insurers have partnered with well-known security firms to help assess the
strength of network security. These firms can provide vulnerability scans,
Internet traffic tracking, and penetration tests. This shouldn’t be viewed
as a threat to the competence of an IT department, but rather an additional
assessment that’s free. Typically the results are not shared with the
insurance company. Insurers benefit by knowing that their clients are using
high quality vendors to protect their networks and reduce the odds of a
loss.

Risk Management Portals

Most insurers offer risk management content from highly specialized vendors
on a web portal specifically for the use of the insurance buyer. These
portals typically contain sample privacy policies for websites and employee
handbooks, data breach examples, loss calculation tools, FAQs, vendor due
diligence assistance, risk management tips, news articles and claim contact
information.

Hotlines

Some insurers will provide access to both legal and IT professionals to ask
questions about incidents that may constitute a breach. With multiple
federal regulations and 47 out of 50 states having their own privacy
regulations, it is often hard to discern if an event is material enough to
disclose to regulators or the individuals whose personally identifiable
information (PII) and personal health information (PHI) was potentially
compromised. Every legitimate breach needs to be disclosed in accordance
with the applicable regulation, but some events do not need to be
disclosed. The disclosure of an event that doesn’t constitute a breach can
lead to regulatory attention as well as reputational harm.

Battle Plans

Often included with cyber liability policies is a roadmap of what to expect
in the event of a breach, including a “breach coach” that coordinates all
the players on an insured’s behalf. Among the players: a forensic security
vendor, law firm (protecting the process with attorney client privilege),
public relations professionals, notification firms, credit monitoring
firms, identity restoration firms, insurance company claims contacts, PCI
compliance experts, forensic accountants and call centers. Many risk
managers buy cyber liability insurance just to get the prepackaged “SWAT”
team.

With cyber liability insurance policies, insureds get a two-for-one deal –
an insurance product that may cover financial losses and expenses
associated with a data breach, and a host of services that help lower the
risk profile.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!