Cyber Insurance: Preparation for a Breach

Managing risk in a digital infrastructure is an increasingly complex and challenging problem, one that can’t be completely mitigated through technology, and the cost of data breaches are increasing.  The average organizational cost of a data breach in the U.S. is $5.85 million.  The average cost of data breach notification alone in the U.S. is $509,237.   Premiums and limits of liability vary widely, and organizations must exercise care to identify their unique risks and obtain coverage for those risks at costs they can reasonably absorb.  Note that the cyber insurance industry is still nascent, and some policies include unreasonable limitations and exclusions – but if you are aware of them ahead of time, you may be able to negotiate better terms or find better policies.  Of the limitations that are most important, you should be able to select your own forensics firm and your own legal counsel.  Limitations on those choices can have terribly adverse consequences.

What does your policy cover?

• What is your first party coverage?
• What is your third party coverage?
• Remediation costs?
• Fines and penalties?
• Risk management costs?
• What is the retroactive date? Selection of legal counsel?
• Selection of breach response vendors? Employee owned devices?

Do the limits of liability match your realistic exposure?

Selecting Vendors, Legal Counsel

When selecting their cyber-insurance polices, organizations should make sure they have the ability to select for themselves the breach response vendors and legal counsel they deem appropriate, says Hoar, a former lead cyber attorney for the U.S. Department of Justice in Oregon.

A Knowledgeable Broker

“It’s critical that organizations work with a knowledgeable broker who can understand an organizations unique risks and explore and explain appropriate insurance options,” Hoar says.

“This (process) should involve a virtual walk through of the possible types of breaches and compromises that might occur, and how the policy would apply to the different scenarios,” he says.

The broker also should describe the step an organization would need to take to involve the insurance carrier should a breach or compromise occur.