Cyber Insurance and Your Data Breach: A Good Fit?

Last month ID Experts conducted a webinar on the risk factors and practical considerations that organizations have when faced with the unauthorized exposure of privacy data—and how cyber insurance can help assume some of that risk.

Data breaches are unpredictable, and it’s difficult to budget for unexpected expenses. Cyber insurance can help offset some of that cost, especially as new trends in technology are increasing the likelihood of a data breach. To cut costs and increase efficiencies, for example, organizations are turning to the cloud to process its data, including personally identifiable information (PII), and protected health information (PHI).  Organizations are also enabling employees to use personal mobile devices to do their jobs. Both of these trends put privacy data in more hands and in less-secure environments than ever before.

Another area of increased risk is the growing use of business associates. Business associates, or third-party contractors, account for 46 percent of all data breaches, according to a 2011 benchmark study on patient privacy and data security by the Ponemon Institute.

Cyber insurance closes the gap of traditional policies by covering the unique costs a data breach can incur. Some of these components include privacy and security liability, breach notification coverage, fines and settlements, data asset loss, and credit monitoring. But before rushing to the nearest insurer, organizations would do well to ask some important questions:

• What do I need coverage for? What is a worse-case scenario?
• Does the policy cover third-party data breaches?
• Does it only cover technical breaches, such as the theft or loss of computing devices?
• Am I allowed to choose my own vendors, or am I required to select from a pre-approved panel?
• Does it cover unique circumstances, such as medical identity monitoring for the breach of PHI?
• What additional resources are available to me, such as a breach coach or public relations?
• What benefits do I receive for using a pre-approved vendor, such as increased coverage limits or lower rates?

Perhaps the best way to select a carrier is with an experienced broker who understands the complexities of cyber insurance. Before buying a policy, organizations should conduct a thorough privacy and security risk assessment and determine who their vendors will be, including preapproval for preferred vendors. In addition, a thorough review of its Incident Response Plan (IRP) can help organizations align their internal response processes with the stipulation of the policy.

Cyber insurance can provide financial peace of mind for organizations tasked with protecting privacy data, especially in a time when data breaches are on the rise. However, cyber insurance does not cover every aspect of every data breach; the best way organizations can protect themselves is through prevention and preparation.