Protecting Against the Enemies You Cannot See
Security breaches are prevalent for all industries, and they often go undetected and wreak havoc for extended periods of time. These breaches not only cause irreparable reputational damage but also have significant monetary considerations in the form of class-action lawsuits. Companies should also bear in mind that hackers are not the only source of network risk, employee mishaps, disgruntled current and terminated employees, and loose internal security controls are also to blame. Both large and small companies continue to realize that mitigating cyber risk is only part of the solution, transferring the risk through the use of insurance is the missing piece.
Over conﬁdent, Underprepared
Most companies are significantly underprepared in their ability to detect and mitigate a data breach. According to a 2018 Ponemon Institute research study, which surveyed over 2,800 IT professionals on data breach preparedness, 77% of those surveyed stated their organizations do not have a formal cybersecurity incident response plan in place. Despite heightened concerns over data breaches, more than three-quarters of organizations do not have a formal process for responding to one. 26% have only an ad-hoc or informal process, and 27% do not apply their incident response plans consistently across the enterprise.
Not All Policies Are Built the Same
Companies should be cognizant that cyber policies often include coverage gaps in key areas, leaving the organization unduly exposed. The key to a good policy is sufficient coverage at an appropriate cost. Cyber liability insurance is still relatively new to the market and continues to evolve at a rapid pace. UIC has developed extensive in-depth security assessment tools in this area. Creating a 200 point proprietary audit process, UIC has provided dramatic insights into the quality of any coverage currently purchased and serves as a foundation to discussing cyber risk for each entity’s unique exposers. Noted below are a few examples of key cyber coverage points often missed in policies offered on the market today:
- Stolen credit card information: This exclusion is for PCI fines and penalties. Typically, when credit card information is stolen, MasterCard/Visa/AMEX charges a re-issuance fee which is not covered unless the policy is expressly endorsed. The insurer will inherently try to sub-limit damages; it is imperative to understand this exposure and negotiate the best coverage terms.
- Coverage should be broad enough to account for violations of all governmental privacy laws such as HIPAA, FACTA, and the HITECH Act as well as, given the inherent nature of cybercrime, conform to various jurisdictional legislative standards, domestic and abroad, such as the GDPR act in the European Union and CCPA of California.
- Gaps in physical computer system coverage: Many policies do not explicitly cover laptops, smartphones, memory sticks, etc., and the loss caused by the theft or bricking of these items.
- Several cyber insurance policies only include coverage for expenses such as forensics in order to diagnose a security breach or identify the presence of malware but stops coverage in actually rectifying the underlying problem.
- Cyber Extortion must include Ransomware. Many cyber policies which have failed to be updated in the last several years do not reflect a standard coverage for the primary external cyber security risk existing today.
Preparation and a solid framework can make all the difference with challenges regarding compliance, insurance, and legal defense matters, UIC has successfully instituted best in class protocols for cyber liability insurance, and we can put them to work for your company.
An Example in Risk Management
UIC evaluated a retailer of soft goods to determine whether their current cybersecurity insurance policy sufficiently covered their exposure and PCI compliance. We leveraged its cybersecurity checklist to identify program deficiencies and prioritized them by risk. In addition, we evaluated the company’s risk management program to ascertain that a solid infrastructure, including disaster recovery and data backup, was in place. Once we completed an analysis of the retailer’s environment, we were able to redesign the insurance specification to close the gap without increasing cost through an extensive bidding process. At a later date, the client’s infrastructure was compromised through a malware (malicious software intended to disrupt operations) intrusion, with the attacker obtaining a significant number of client records. Due to UIC’s suggested policy changes, however, the client had appropriate coverage and ultimately saved more than $1 million in damages.
What Does UIC Think?
Cybersecurity attacks on companies are not only rising in frequency but also in severity of cost. While these risks are becoming inevitable; it’s how these risks are mitigated and transferred that determines the extent of the damage—financial and otherwise. Don’t wait for a breach to occur, preparation and a solid framework can make all the difference with challenges regarding regulatory compliance, insurance, and legal defense matters. Most large companies continue to strengthen cybersecurity capabilities and security frameworks, while small and medium cap organizations are lagging behind by all indications. UIC believes that mitigating risk is only part of the solution; transferring risk through comprehensive cyber insurance can significantly reduce company risk.