Cyber insurance has actually been around since the 1990’s, but it’s only recently become a hot topic. With Target, Home Depot, Anthem, Sony and other large breaches grabbing headlines, business owners are showing more interest than ever in cyber insurance. If businesses with six and seven figure annual cyber security budgets are getting breached, it’s time to accept the fact that this is a very real threat that every business will face at some point.
Unfortunately, many cyber insurance shoppers don’t understand the “exclusions” or what coverage is appropriate for the company. When the inevitable breach happens, payouts are reduced or denied, or the company discovers the coverage they really needed isn’t part of the policy.
How do you get the right coverage? Take the time to consider what the most critical data and systems are, and focus on protecting those first. The type of data makes a difference too – loss of intellectual capital is different than loss of protected customer data.
Once you’ve decided on the right coverage, go through potential policies with a fine tooth comb to make sure you and your team understand what the policies will cover and what they won’t.
In order to survive a breach, a business needs three things:
- The business must adhere the compliance program(s) that apply to it. For example, if the business processes credit cards, it must comply with PCI. If there is no specific compliance program that applies, compliance defaults to the business’ security policies.
- Insurance strategy. First-party policies address damage to computer and network assets, and interruptions to the business. Third-party policies address breach related services and fees such as fines, forensic investigations, credit monitoring, PR, legal defense and compensation.
- Incident response capability. You need an incident response plan and resources identified to handle all aspects of a breach such as legal representation, a cyber-security firm to handle the technical aspects and recovery from the breach, and a communications plan for employees, clients and customers.
It’s important to understand that taking out cyber insurance policies does not mean you’re then free to ignore security. If your security is weak, chances are the policy’s exclusions are going to prevent your claim from being approved.
Security is not a “set it and forget it” exercise, you and your team need to be vigilant and proactive in maintaining a state of security and compliance at all times. While this is generally a good practice, it will also mean your claim is much less likely to be denied.
If you need help with evaluating your cyber policies and the security of your business, contact us today.
*Sera-Brynn is not an insurance company or insurance reseller.