With the cost and frequency of data breaches continuing to rise, the demand for cyber risk insurance is also growing as more companies are looking for protection against the financial damage of a major cyberattack. In fact, the number of companies purchasing cyber insurance increased approximately 250 percent between 2013 and 2015, according to the Ponemon Third Annual Study on Data Breach Preparedness.
Yet, as more companies look to purchase insurance coverage for this complex and often nuanced area, they are faced with a patchwork of different policies, price points and exclusions that must be carefully evaluated. While responsibility for this task often falls to chief risk officers at companies and the insurance brokers that advise them, cybersecurity professionals must also play a key role in the process. These experts often have the best knowledge of the major cyber security risks that should be covered, as well as the protections that should be in place to prevent a security incident. These insights are vital when engaging with insurers.
Ultimately, collaboration across functions is vital to successfully selecting and managing a cyber insurance policy. The following are some of the best practices and key considerations to keep in mind when selecting coverage.
Have a Strong and Well-Documented Security Posture
As the saying goes, the best offense is a good defense. Having a strong and well-documented security program in place can help to potentially reduce the cost of insurance or put a company in a stronger position to negotiate more favorable terms. Companies that can demonstrate that they are following security best practices to prevent attacks and that they have a plan in place to manage a potential incident are often more attractive to insurers.
There are several steps that cybersecurity professionals can take to help in this process. For starters, having a well-documented data breach response plan in place and practicing it on an ongoing basis better prepares and equips companies to respond to an attack in a timely and sensitive manner. Further, regularly conducting internal and third-party audits of corporate networks, as well as third-party cloud providers or other organizations that have access to sensitive information, can help prove to insurers that the company is effectively managing security risks and is compliant with applicable laws.
Beyond having these practices in place, it’s important that companies are able to document and share details with underwriters about their company’s security posture. For example, providing information about how your organization holds vendors or other third parties (that may have access to your sensitive information) accountable for meeting the same level of security standards, or if systems meet key industry standards like ISO 27002.
Properly Evaluate Policies
If the policy chosen meets a company’s risk profile cyber insurance coverage, it can provide many benefits, which is why the involvement of security professionals is key. As policies, price points and exclusions vary across insurers, risk managers and security professionals will largely benefit from working with brokers during the selection process. Brokers are knowledgeable about the variety of policies available and can ask insurers critical questions about both their experience handling these types of events (i.e. how much loss experience they have, whether or not they’ve paid actual data breach claims and covered major incidents) and about the inclusions and exclusions of policies to ensure their company is choosing the best priced and highest quality option.
Specifically, when working with brokers to evaluate policies and determine the coverage best suited for a company, there are several key pieces to look for:
- Existing exemptions – many older generations of cyber insurance policies contained exclusions, so it’s important that all aspects of a response both pre- and post-breach are covered. Determine what’s really included and excluded in a potential future loss and whether or not specific policies account for the unique risks or needs of your organization.
- Coverage for external vendors – as companies often use third-party cloud or other IT providers, many policies include coverage for vendors who have access to an organization’s sensitive information. While some of the liability may ultimately lie on the third-party provider if an incident occurs, this isn’t always the case so be sure this isn’t an area of oversight for your company.
- Coverage for response services – often policies will include coverage for crisis response services including forensics, legal and data breach resolution partners, and will outline experts that can be used during an incident. In some cases, companies and brokers can also negotiate using their own preferred providers, but this should be determined prior to purchasing, in order to guarantee that your response team is comfortable with the options available.
- Risk management services – to help companies effectively prepare for a security incident ahead of time, many policies will offer resources and guidance on response plans and practices that will help the company mitigate the fallout of an attack. Some policies even take a company through a cyber-security drill to help them better prepare. Such added benefits can be very useful to companies in times of crisis.
Cybersecurity leaders play a major role in setting their companies up for success when buying insurance. By establishing a strong security posture ahead of time, identifying their company’s needs, and sharing this information with risk managers and brokers they can greatly influence and benefit the purchasing process.