For years, security professionals have been saying “either you have been data breached or you just do not know that you have been data breached.”
Data breaches are now a fact of life together with taxes and death, but how can businesses better manage the risks related to a data breach and reduce the significant cost that can result from them?
One of the options is to buy an insurance.
Cyber liability insurance cover (CLIC) has been available in the market for around 10 years, however most security professionals seem unlikely to have heard of it or know that it exists.
This is odd since most security professionals would have attended a risk training session at some time in their career – where the speaker’s options for risk mitigation would have probably included the transfer of risk. A common way of transferring risk is to insure against it.
CLIC has been most successfully used as a risk transfer option in those countries that have mandatory data breach notification laws.
The best example of this is the United States, where 46 of the 50 states have mandatory requirements for data breach notification. In the UK, the impending draft EU Data Protection Regulation includes mandatory notification of breaches, but the scale and timing of this new regulation is still to be determined.
Data breaches are now a fact of life together with taxes and death
Mandatory data breach notification regulations are in part a driver for CLIC as the costs of notifying affected users can be extremely high.
As the expense of dealing with a breach gets higher – and the cost of dealing with mandatory notification is added – the option of using CLIC will become more attractive for many businesses, in much the same way that existing business insurance policies for fire, flood and theft are a vital itinerary in the risk management toolkit.
Even though CLIC has been around for 10 years or so, many insurers that offered it have not sold a single policy, and in many cases may not have understood the risk that they were actually taking on – this has been very much to do with both the lack of data for underwriting and the lack of knowledge by consumers to understand the risk transference benefits.
With the rise in data breach incidents and impending legislation, this is all going to change.
What is cyber liability insurance cover (CLIC)?
The term "cyber liability insurance cover" is often used to describe a range of covers - in very much the same way that the word cyber is used to describe a broad range of information security related tools, processes and services.
At the moment, cyber liability insurance cover can include;
- Data breach/privacy crisis management cover. For example, expenses related to the management of an incident, the investigation, the remediation, data subject notification, call management, credit checking for data subjects, legal costs, court attendance and regulatory fines.
- Multimedia/Media liability cover. Third-party damages covered can include specific defacement of website and intellectual property rights infringement.
- Extortion liability cover. Typically, losses due to a threat of extortion, professional fees related to dealing with the extortion.
- Network security liability. Third-party damages as a result of denial of access, costs related to data on third-party suppliers and costs related to the theft of data on third-party systems.
Some of the elements of a cyber liability cover may be interconnected or overlap with cover from existing products, including those for business continuity, third-party supply chain issues and professional indemnity. Even if this overlap does exist, a decent cyber liability policy will ensure cyber risks are fully catered for.
How to buy cyber liability insurance cover
Start with the basics
For many insurers and brokers, the technicalities of information security and the details of how to deal with a data breach are still a mystery. The market for cyber liability products is also in its infancy, so be prepared to work with your provider to ensure that you get what you actually require.
A good starting point is to determine what costs or expenses you would like to have covered and what types of incidents you want cover for. Circulate and discuss this list with all the relevant people, not forgetting to get all the information you need from third-party suppliers and partners. List both your own costs (known as first-party costs) and the costs that others may attempt to claim from you as a result of the incident (known as third-party costs).
Getting the right broker is important. A good specialist broker will save you time in determining what is right for your business
Getting the right broker is important. A good specialist broker will save you time in determining what is right for your business, remembering that this may not be the broker you are currently using for your non-cyber risks. Share your list of estimated expenses and costs with your broker and talk through the different exclusions that might stop you from making a claim.
Apart from obviously being responsible for the product, insurance companies are responsible for providing support to your broker about the products. In addition, they will decide if they are willing to take on your risks according to your completed proposal form and what premium you will need to pay. Choosing the right insurer can be the difference between paying little for cover that you will never be able to utilise in the event of an incident or having cost-effective cover where the insurer understands the implications of a breach and the costs associated with it.
Selecting the right policy for your business, business model, industry, size, exposures and so forth is a very complex exercise, which is why a specialist broker is important, as they are likely to know the best products to suit your needs.
It is important to understand the support you receive as part of the cover. Some policies provide a point of contact who will handle everything from the moment the insurer has agreed the claim, whereas others will let you manage the incident and decide which services you want to use from their list of suppliers.
Remember that your organisation may not have the people or experience to manage a data breach incident so third-party suppliers can often be a better route to take.
Beyond the basics
All policies have a set of exclusions, terms and definitions. Understanding these is important, so here are some additional questions to consider;
- What security controls can you put into place that will reduce the premium?
- Will you have to undertake a security risk review of some sort?
- What is expected of you to reduce or limit the risks?
- Will you get a reduction for each year you do not claim?
- What assistance is provided to improve information governance and information security?
- What and how big a difference to your future premiums will a claim make?
- What support if any will be provided to assist in making the right security decisions for the industry / business you are in?
- The security / protection industry is very fast changing, how can the insurance ensure that your policy is current?
- Do all portable media/computing devices need to be encrypted?
- What about unencrypted media in the care or control of your third-party processors?
- Are malicious acts by employees covered?
- Will you have to provide evidence of compliance to existing Data Protection Principles, in relation to your actual processing, to prove you were not acting disproportionately?
- Although ignorance of the law is no excuse, we are just not able to keep up with all the compliance issues that may affect all the territories our company works in, would you refuse a claim if you were processing data that may contravene laws in one country but not another – because insurance policies often stipulate that you must not be breaking the law?
- What if there is uncertainty around whether the incident took place a day before the cover was in place or on the day?
- Are the limits for expenses grouped together in a way that the maximum limit that is covered is likely to be achieved very quickly, unless you increase the cover?
- Are all and any court attendances to defend claims from others covered?
- Could you claim if you were not able to detect an intrusion until several months or years have elapsed, so you are outside the period of the cover, (as with the Red October malware which was discovered after about five years)?
For small and medium-sized enterprises (SMEs) there are very simple policies available, but sometimes these raise more questions than they answer as they do not always provide a long list of exclusions or terms and definitions. At least with detailed polices you should know where you stand.
Having worked with clients who did not have CLIC but suffered a data breach – and witnessed all of the associated angst and costs – I am hopeful that many breached businesses will have an alternative to bankruptcy when they pull their CLIC out of their top drawer.
"No two businesses are the same when it comes to cyber risks, therefore it is key to understand the cyber risks your business faces and to ensure your cyber policy is tailored to mirror those risks," says Erica Constance, divisional director, FINEX Global.
Sarb Sembhi is director, consulting services, IncomingThought Limited
This was first published in July 2013