With all the data organizations produce, collect, and store, the digital space is rapidly becoming a playground for cyber attackers. PwC reports cyber crime costs the global economy $400 billion annually, and that number keeps rising. There are steps your organization can take to prevent these costly breaches, including honing your encryption strategies and making sure employees pay close attention to their data moves in the cloud. There’s also cyber insurance, sometimes called cyber liability insurance coverage (CLIC). I wrote about cyber insurance recently, and whether or not you need it here: Cyber Insurance: What it is, What it Covers, and Whether (or Not) You Need it.
If you’re thinking about investing in CLIC—and you should be—here are ten questions you should ask your prospective cyber insurance provider.
- What types of incidents are covered? There is no underwriting standard for CLIC, so it’s imperative that you understand exactly what is covered by a prospective policy. Most cover first party damages (that your company incurs directly, like fines or data recovery costs) as well as third party damages (that affect your customers or partners who many hold your company accountable). Get your legal team involved to review this information as well to make sure it meets your expectations.
- Are there any types of incidents that are specifically excluded from coverage? Some companies will exclude certain incidents from coverage if they’re deemed risky from the beginning. For example, a breach stemming from an unencrypted smartphone in an office with a bring-your-own-device (BYOD) policy might not be covered. What about coverage in the event you don’t have a BYOD policy in place? Important considerations to be aware of in today’s world, where BYOD is a reality, no matter what the size of your organization.
- Are there any regional restrictions on the policy? There’s been a shift toward globalization for many organizations, particularly in the enterprise. Make sure you know if there are any regional restrictions on the policies you’re reviewing. For example, if you conduct business in another country and suffer a breach stemming from that outside location, are you still covered? What about if an employee is traveling in another country using an unencrypted personal device and a breach occurs? Even if your business doesn’t fall into that global category, it’s still important to know the territory limitations placed on your policy and plan accordingly.
- How long after a breach occurs do you have to report it without losing coverage? Many cyber attacks can take a significant amount of time to uncover. Explore the reporting timeframe for the policies you are considering, and perhaps also consider the sometimes-available extended reporting option that’s offered on many policies if you feel late discoveries might present a problem.
- After reporting a cyber attack, how quickly does the provider respond? Just like you have a responsibility to report a breach in a timely manner, your insurer should be contractually obligated to act quickly, too. Check out each prospective providers’ minimum downtown period. If 24 hours or longer, factor that into your decision-making process.
- Is the provider knowledgeable about your industry? Some industries have very specific data compliance rules (like HIPAA for healthcare, for instance). Be sure the providers you are considering understand the data handling rules of your particular field before continuing with them.
- What is the cost? As with any insurance purchase, cost is an important factor, but the adage that you get what you pay for is also important to keep in mind as you explore potential vendors. Make sure you’re comparing apples to apples and have covered all your bases. It’s also smart to explore whether there are additional data security steps your organization can take internally to reduce your CLIC premium and, more importantly, better protect your organization.
- If a breach occurs, how does that affect your premium? If you make a claim, understand the impact a claim will have on a premium. For example, there might be an instance where making a claim on a small breach actually might not be the best option, so be aware of the premium structure.
- How flexible is the provider in terms of modifying coverage to meet evolving threats? Things move quickly when technology is involved, and a good CLIC policy should be built around that truth. The business of insuring against data security is still a little bit of a Wild, Wild West, so it’s smart to work with a vendor that is adaptable. As part of your vendor vetting process, ask about the identification of additional risks and whether it’s possible to amend a policy, and the processes involved. Better to know up front than to be stuck with something that doesn’t quite provide all the coverage you need.
- Does the provider require you to comply with any specific compliance or audit obligations? To keep your policy current, a majority of CLIC providers require a regular audit or compliance review. Make sure the audit rights a prospective vendor requires aren’t too much and, if possible, request an independent expert to perform the audit for maximum transparency.
I don’t see how it’s possible to operate a business of any size today without having cyber insurance—the risks are too great. Consider this: The 2016 IBM-sponsored Ponemon Institute study estimated the likelihood of a material breach affecting 10,000 lost or stolen records in the next 24 months at 26 percent. The study reported the consolidated cost of a data breach rose from $3.8 million to $4 million in 2016. Think about the impact of that cost on your business.
Breaking it down even further, the Ponemon study reported the average cost incurred for each lost or stolen record containing sensitive or confidential information was $158. Think about the number of sensitive or confidential records your business controls and multiply that times $158. Then evaluate the coverage you have, or the coverage you need.
Choosing a provider, however, isn’t a process you should take lightly. Make sure you vet prospective insurers by asking the right questions and save yourself headaches down the line.