In our most recent blog, Brad Pierce discussed what a cyber insurance policy is not. It is not a savior in the wake of a data breach. It is not a replacement for proactive, resilient security measures. What it is, however, is a component of an effective incident response strategy. In this post, I would like to take the time to discuss considerations organizations should take when purchasing a cyber insurance policy.
It is impossible to go through a week without hearing of another company experiencing a data breach. The media loves to focus on the here and now, but there is very little focus on all that a company must do behind the scenes to address a breach after it occurs. The recovery process is arduous, time consuming, and very expensive. Because of hackers and nation state threat actors continually targeting businesses of all sizes, cybersecurity insurance has become a critical component of an effective incident response strategy. Though companies are aware that they need a cyber insurance policy, the question that is not always asked is what elements make up an effective policy. As Brad Pierce noted in his previous blog, insurance companies selling the policies typically have a formula for calculating the amount of coverage needed based on the amount and type of data in conjunction with the preventative measures already in place. However, it is important to know the elements of incident response that may need to be covered by said policy.
Though the following elements are not exhaustive, they do provide a starting point for discussing a policy with an insurance company and determining whether it covers the primary bases:
- Forensic Investigation Costs: Once it is determined that an incident has occurred, a company must first determine the extent of what data was lost. To get a true representation of all that occurred, an experienced forensic investigator must be called and brought onsite very quickly. Insurance providers that offer cyber insurance typically have a list of vetted companies that provide forensic investigation services. It is important to have a forensic investigator with a solid reputation that can be onsite to begin the investigation within a short period of time.
- Regulatory Penalties and Fines: Depending on the industry in which a company resides and whether the company is publicly traded, regulations are likely to be abundant. It’s important to have a knowledgeable lawyer or legal team that can pinpoint the regulatory penalties that may result from a data breach. Data privacy has been highlighted in the past few months with GDPR being adopted in Europe. Large fines could potentially result from a breach and having a complete understanding of the regulatory penalties is imperative to ensure the policy coverage is adequate and guaranteed.
- Business Interruption Coverage: When a cyber incident occurs, a company may be unable to access their key applications or critical data for an extended period of time. Hackers may even gain control of backups and prevent a company from attempting to restore their systems. Depending upon the extent of the incident, time really can be money. The inability to service or provide data to customers can bring the continuity of business to a screeching halt. While it is important to have an adequate incident response plan in place to address potential business interruption, it’s also imperative that the cyber insurance policy have adequate coverage to make up for lost business and revenue.
- Extortion-Related Costs: As previously stated, hackers often have the capability to gain access to a company’s data and to lock employees out of the applications, databases, and backups where this data resides. This is often evidenced with ransomware. Hackers may request payment to provide a company with the key to regain control of their systems and data. Often payment is required to be made through more technical avenues, such as Bitcoin, that are difficult to trace. Cyber insurance providers worth their weight will consider that a company will need to make a significant payment to a hacker and will also have quick access to payment methods such as Bitcoin to allow for seamless business resumption.
- Credit Monitoring and Breach Notification Costs: If a hacker gains access to sensitive personal and financial data for customers/patients, employees, vendors, etc., the impacted company is responsible for providing credit monitoring services to impacted parties to ensure that the stolen data was not used in a malicious way. Depending upon the size of the incident and the number of people impacted, a payment will have to be made to a credit monitoring agency for at least a 12-month period. Breach notification laws are in place within the states that spell out requirements for how the impacted parties are notified of the incident. Larger companies likely have customers and employees scattered throughout a variety of states, resulting in larger legal costs to ensure that the breach notification rules are being properly followed for each state. Notification requirements have gotten even more complicated in the past several months with the adoption of GDPR in European countries. If a company has a European office or an online presence with European customers, it is important that the cyber insurance company has access to a legal team that is familiar with GDPR and the process to communicate the breach to impacted customers/clients.
- Public Relations Related Costs: With the news of a data breach being made public, a company’s most valuable commodity, its reputation, is truly put to the test. When reviewing a cyber insurance policy, it’s imperative that costs related to hiring a public relations team be considered. A cyber insurance provider should have a list of vetted public relations groups that are experienced with the variety of communication avenues, such as television, newspapers, online, etc., that will be necessary to explain the incident, how it is being handled, and the efforts being made to protect current and future customers from a recurring event. The services provided by a public relations firm are not cheap but should be viewed as a necessity to ensure the many years spent building a reputation are not wasted away with one incident.
Insurance is one of those necessities that we hope never to have to use, but it’s always a relief to know that it is there when we need it. With the dramatic increase in cybercrime and companies being the primary target of hackers, cybersecurity insurance is no longer something that can be ignored or justified as only a larger company’s problem. Data breaches happen to companies of all sizes and it is important to make sure that adequate cyber insurance coverage is in place as part of your incident response strategy. Significant time and research should be employed by companies to ensure the cyber policy includes the elements mentioned above and that the coverage amount is adequate and manageable.