At the beginning of June the “who's who” of the Cyber Insurance world descended on Philadelphia to attend the 3rd Annual Net Diligence Cyber Risk & Privacy Liability Forum. The objective was to discuss and debate a variety of topics around insuring against the risk of a data breach. Mark Greisiger, President of Net Diligence welcomed the audience and speaking panels which consisted of underwriters, brokers, risk managers and vendors that work in the data breach world. The conference provides risk managers the opportunity to learn the basics of cyber liability insurance policies, managing and reducing their organizational data breach risks and how to best minimize their exposure should a data breach occur.

This year's conference attendance grew thirty percent which to me is a strong indication that Cyber Insurance is becoming a standard coverage like General Liability or Errors and Omissions insurance. Cyber Insurance coverage is still fairly new, so policies can vary significantly. Organizations interested in cyber insurance coverage are encouraged to take their time evaluating policies and complete a thorough due diligence before binding a policy. This conference is a great way to start your due diligence process.

One of the more interesting sessions, other than the one I presented on, was the “Regulatory Challenges of Today.” This panel was moderated by Tracey Vipoli SVP at CHUBB Group Insurance and featured Katherine Race Brin from the Federal Trade Commission. A good portion of their presentation focused on the Securities and Exchange Commission's guidance on the disclosure obligations relating to cybersecurity risks and cyber incidents. The SEC has elevated the conversation about cyber risks from the IT or Compliance Department to the Board of Directors. The panel made the point that many publically traded organizations are now seeking financial tools, like cyber liability insurance, to offset their exposures. At ID Experts, we have also seen an uptick in the number of organizations proactively seeking our services prior to a privacy breach event.

There was also a session on healthcare that highlighted the complexity of compliance for healthcare organizations. This conversation acknowledged the challenges for maintaining patient privacy and securing sensitive data while complying with the numerous regulations placed upon healthcare organizations. Additionally, if an organization has a breach, and is out of compliance, they are at an increased risk of fines and being placed under a corrective action plan.

A big take away for me were the similarities of the Federal Trade Commission's investigations and the Office of Civil Rights Privacy post-breach investigations. Both agencies investigations are evaluating organizational policies and procedures, determining if they are current and if they are being followed consistently. The number of investigations completed by the FTC is much greater than OCR. I found this interesting because we are now beginning to see the Office of Civil Rights ramp up their investigation program and levy fines against organizations that are found out of compliance. If the OCR follows the FTC's lead related to privacy breaches, it is about to get more expensive to be a healthcare organization, unless your business is compliant with HIPAA and HITECH regulations prior to a data breach.