According to the 2018 Hiscox Cyber Readiness Report released in February, 58 percent of U.S. firms with more than 250 employees have cyber insurance but only 21 percent with fewer than 250 are covered. What’s even more interesting is that more than half of U.S. small businesses have no intention of investing in cyber insurance.
The lack of complete buy-in is understandable. Although cyber insurance coverage can mitigate some of the monetary damages from data breaches, affected companies still incur large costs. For example, Equifax reported $275 million in costs from 2017 breach – insurance covered $75 million of those costs. Target data breach costs were nearly $300 million but $90 million was covered by their insurance.
One of the ways organizations can ensure they are getting the highest level of coverage possible from their policies is to ask the right questions and reduce risk through cyber security programs.
Do You Know What’s in Your Cyber Insurance Policy?
With the rise in importance of cyber insurance, I’m often asked to not only review client’s policies, but also provide them with feedback on how to include these policies into the organization’s cyber security incident response plan (CSIRP).
More often than not, I find my clients are not as familiar with the specifics of their insurance policy as I’d expect. You may share the same lack of confidence in articulating the coverage areas, limits, and requirements of your policy. It’s understandable. Cyber insurance policies can be intimidating. No offense to the gurus of the insurance world, but the policy language often comes across as legal jargon. For the non-insurance, non-lawyer types, these policies are often hard to read and difficult to understand.
To make things easier, let’s focus on the essentials of the policy you need to understand:
- Your requirements for initiating a claim (make sure to link this information to your CSIRP)
- The types of incidents that are covered and how they’re defined (as specific as possible)
- If you’re required to use a pre-approved list of providers for forensics, notifications, and legal services
Note, for the last essential, you should pre-vet the vendor list or get approval to use your own contracted service providers.
Who Reviews the Policy and Makes the Purchase Decision?
Another interesting thing I’ve noticed when reviewing policies is that they’re typically purchased by the folks in your risk management or financial services departments. These are the same departments that are normally responsible for a variety of business-related insurance policies designed to transfer risk.
The good news is that they understand the ins and outs of buying and renewing insurance policies. The bad news is that they aren’t including information security leaders and legal representatives in the policy review, selection, and negotiation process. It takes a well-rounded team of experts from risk, legal, finance, and security to make the best policy decisions for the organization.
How Much Coverage is Enough?
It can be very challenging to determine how much coverage is enough, and honestly, you may not really have enough information to make a well-informed decision until after you have lived through your first claim.
I suggest researching the use case history for comparable organizations in your industry that have been hit. What has it cost them? How much did their cyber insurance cover? Some Fortune 1000 companies are now looking for policies covering up to $500 million. Consider your most likely scenarios and assess these scenarios prior to renewals on an annual basis.
More Expertise: To learn more about important cyber insurance considerations you need for incident response, view our on-demand webinar, “Data Breach Survival Tactics: Building Actionable Incident Response Plans.” For policy concerns specific to law firms, check out our blog, “Pitfalls of Cyber Insurance Policies for Law Firms.”
Stephanie Ewing-Ottmers is a cyber security evangelist at Delta Risk LLC, a Chertoff Group Company that offers managed security services. Read more Delta Risk LLC blogs here.