Cybersecurity Essentials

Protecting Against the Enemies You Cannot See

Security breaches are prevalent in all industries and often go undetected and wreak havoc for extended periods. These breaches not only cause irreparable reputational damage but also have significant monetary considerations in the form of class-action lawsuits.

Companies should also bear in mind that hackers are not the only source of network risk, employee mishaps, disgruntled current and terminated employees, and loose internal security controls are also to blame. Large and small companies continue to realize that mitigating cyber risk is only part of the solution, transferring the risk through insurance is the missing piece.

Most companies are significantly underprepared in their ability to detect and mitigate a data breach. According to a 2018 Ponemon Institute research study, which surveyed over 2,800 IT professionals on data breach preparedness, 77% of those surveyed stated their organizations do not have a formal cybersecurity incident response plan.

Despite heightened concerns over data breaches, more than three-quarters of organizations do not have a formal process for responding to one. 26% have only an ad-hoc or informal process, and 27% do not apply their incident response plans consistently across the enterprise.

Not All Policies Are Built the Same

Companies should be cognizant that cyber policies often include coverage gaps in key areas, leaving the organization unduly exposed. The key to a good policy is sufficient coverage at an appropriate cost. Cyber liability insurance is still relatively new to the market and continues to evolve rapidly. UIC has developed extensive in-depth security assessment tools in this area. Creating a 200-point proprietary audit process, UIC has provided dramatic insights into the quality of any coverage currently purchased and serves as a foundation for discussing cyber risk for each entity’s unique exposers. Noted below are a few examples of key cyber coverage points often missed in policies offered on the market today:

• Stolen credit card information: This exclusion is for PCI fines and penalties. Typically, when credit card information is stolen, MasterCard/Visa/AMEX charges a re-issuance fee which is not covered unless the policy is expressly endorsed. The insurer will inherently try to submit damages; it is imperative to understand this exposure and negotiate the best coverage
• Coverage should be broad enough to account for violations of all governmental privacy laws such as HIPAA, FACTA, and the HITECH Act as well as, given the inherent nature of cybercrime, conform to various jurisdictional legislative standards, domestic and abroad, such as the GDPR act in the European Union and CCPA of California.
• Gaps in physical computer system coverage: Many policies do not explicitly cover laptops, smartphones, memory sticks, and the loss caused by the theft or bricking of these items.
• Several cyber insurance policies only include coverage for expenses such as forensics to diagnose a security breach or identify the presence of malware, but stop coverage in rectifying the underlying problem.
• Cyber Extortion must include Ransomware. Many cyber policies that have failed to be updated in the last several years do not reflect a standard coverage for the primary external cyber security risk existing today.

Preparation and a solid framework can make all the difference with challenges regarding compliance, insurance, and legal defense matters, UIC has successfully instituted best-in-class protocols for cyber liability insurance, and we can put them to work for your company.