What to study before purchasing cyber insurance


Data breaches are unpredictable by nature, but there's no denying that they pose an increasing threat to healthcare entities of all sizes. That's why current risk-management strategy calls for consideration of cyber insurance, according to a recently published report by ID Experts.

"Evaluating the need for cyber coverage is not a one-person job," read the report. "Companies should discuss their data breach risks and risk-management options cross-functionally, involving leaders from IT, risk management, privacy, compliance and legal departments. Working together, executives can more accurately quantify risks, evaluate options and develop a cost beneficial analysis to determine if cyber insurance is the right investment for their needs."

The report describes 10 things to study before purchasing cyber insurance.

1. Assess the risks for a data breach. According to the report, each entity needs to evaluate its overall risk of experiencing a data breach, and the sensitivity of its data. Some factors to consider, it continued, include applicable rules and regulations, the amount and type of data that an organization handles, the prominence of its brand and the use of mobile devices and number of third-party contractors with access to sensitive data.

2. Determine the financial resources available. In 2011, the Ponemon Institute reported that cyber crimes cost organizations between $1.5 million and $36.5 million per data breach, the report noted. "When considering data breach risk management options, organizations should determine if they have the financial resources to cover network downtime, legal fees, forensics investigations," the report stated. Additionally, it's important to keep in mind the costs associated with identity monitoring and recovery services, regulatory fines and penalties, and expenses stemming from a class-action lawsuit.

3. Understand current insurance coverage. Most organizations hold general liability insurance or property insurance that provides coverage for tangible property only, such as replacing stolen laptops, according to the report. "However, the liability policy may not cover the cost of a hacker intrusion that results in the breach of customer data," it read. Traditional policies, it continued, also don't overtly cover first-party breach notification costs. "These gaps could leave an organization responsible for the full cost of a data breach response. Cyber insurance can be used to help cover those costs."

4. Evaluate policy options carefully. Typically, cyber insurance provides coverage for liability for data breaches, remediation costs to respond to the breach, and regulatory and legal fines and penalties. "However, the limitations on the coverage can vary widely based on the carrier, the type of industry and the company's risk profile," the report read. In turn, the terms of a cyber insurance policy may restrict the way an organization responds to a data breach. "For instance it may cover credit monitoring services for a breach of protected health information," for which, it continued, it's useful to monitor a patient's medical identity.

5. Perform a risk assessment. Performing a comprehensive privacy and security risk assessment can help an organization identify, evaluate and mitigate gaps in its security and privacy program, according to the report: "Lessening those gaps can reduce breach risks and lower exposure if a breach does occur." Having a risk assessment on file – documented by a third party -- can help speed up the underwriting process and may even lower insurance premiums.

6. Find a knowledgeable broker. "A broker who understands cyber insurance can break down and compare the offerings from different insurance providers," read the report. Brokers often offer value-added services hat can help identify and mitigate breach risks, as well as validate the need for a policy. "Look for a broker that has experience with cyber insurance and that carries several options."

7. Take advantage of value-added services offered. Some insurance brokers and carriers offer complimentary value-added services to help reduce breach-related risks, the report noted. This could include free consulting or legal advice, access to a proprietary portal with privacy and security resources, and educational webinars. "When weighing policy choices, organizations should evaluate these services as part of the overall offering. As a plus, these offerings may help improve a company's risk profile and lower its insurance premium."

8. Get preferred vendors approved before the policy is finalized. Cyber insurance policies may require companies to use pre-approved vendors instead of their own service providers, such as legal counsel, when responding to a breach, according to the report. "Such limitations can impact the quality of a response. For instance, the use of an out-of-the-country call center to manage the breach of sensitive medical data." Instead, the report's authors advise companies to negotiate the right to use favored vendors or select their own vendors before the contract is finalized.

9. Understand how to integrate the insurance claims process with internal processes. A cyber insurance policy should change the way an organization internally manages data breach incidents, the report stated. "Post binding the policy, companies should understand how and when to involve their carrier if a data breach occurs," it read. This could include updating any documented procedures, like an incident response plan with new roles and responsibilities, revised timeline and current contact information.

10. Avoid common pitfalls with an insurance carrier. According to the report, this happens most often when the insured doesn't fully understand the policy, which can cause a dispute on coverage. "For example, the carrier may mandate the use of its pre-approved vendors, while an organization may prefer to use its internal resources or favored vendors. It's best to resolve these conflicts before binding the policy."

 

Photo attributed to Joshua Sherurcij via Creative Commons license.