You do everything you can to have good cyber hygiene. You prioritize key services, establish an incident response plan, implement controls to protect data, perform periodic monitoring, and manage risks from outside suppliers.
But, despite all your best efforts, there is still a chance that a security breach will happen to your organization. A Ponemon Institute study estimates as high as a 1 in 4 chance of a cyberattack – more than double the chance of catching the flu during winter.
Practicing good cyber hygiene, encrypting data, educating employees on social engineering, and eliminating new routes for hackers to exploit help lessen the threat. But what happens if a security breach still happens?
Regardless of whether your company provides cyber-related services or, more simply, you use data and technology to run your business, the question of cyber insurance becomes critical as part of breach response. This article will consider best practices for cyber insurance in two scenarios:
- If your organization does not have cyber-related coverage
- If your organization does have coverage, but it has not been reviewed for over a year
With the increasing frequency of high impact and publicly disclosed cyberattacks and data breaches in the world, more executives are asking themselves if they are at risk and what can be done to protect their organization against loss.
What to assess if you don’t have cyber insurance
If you haven’t explored a cyber-related insurance policy before, you’ll need to ask yourself a few questions:
- How much cyber risk does your organization have? Even if you aren’t in a technology-focused industry, you may still have risk related to information technology or cyber assets. If you’re using internet connected technology to run your operations, or marketing any solution that has an online component, you have some element of risk. If cyber risk isn’t already considered in your enterprise’s risk assessments, you may want to consider engaging outside advisors to incorporate it into your program.
- What does your company have in common with other high-profile data breach targets? Think of the major data breaches in recent years. Retail, hospitality, finance, healthcare, e-commerce and transportation have all been and continue to be targeted by cybercriminals. What are the common threads connecting these industries? Does compromised data in any of those cases bear similarities to your business? Would your cyber security program protect against the methods that were used in these cases?
- Are there policies that would align with my level of risk? Not all cyber insurance policies are alike. While many cover damages sustained by identity theft and reimburse for legal fees, others have exclusions that reject coverage for third parties or professional services. Research available policies to determine the right fit based on your level and type of risk. Include all relevant stakeholders – including those outside of your organization where necessary.
Determining your organization’s cyber risk profile and analyzing the best coverage to mitigate risk and loss takes a very specialized skill set and up-to-date knowledge of the insurance products available. This makes finding the right experts essential. Don’t assume the resources who advise your organization on other insurance products will be the right resources for your cyber risk profile.
What to assess if you already have cyber insurance
If your company does have coverage, it is a good idea to review the policy terms and coverage before you renew the policy. Here are some questions to ask as you review:
- Does my policy evolve with new threats? Cyber threats, and insurance, is evolving every year. Privacy concerns and regulatory risk are becoming more and more prominent, especially if you collect sensitive data or personal information. If you’re in manufacturing, you’re likely dealing with overall business interruption risk – and any losses that might occur from those stoppages.
- Can I save money or increase my coverage? The cybersecurity landscape changes quickly, and the amounts and types of coverage you need might also change based on your changing business strategy, risk appetite, or risks in your industry.
While having some cyber security coverage is common, the cyber insurance industry has developed rapidly. Many unique coverages now exist that allow businesses of varying size and complexity best match existing organizational risks. Purchasing a tailored cyber policy after careful analysis of your organization’s risks may provide vital protection for your organization going forward.
Disclaimer: The content in this article is not intended to serve as advice or guidance on specific insurance policies. U.S. Bank, U.S. Bancorp Investments and their representatives do not provide insurance advice. Your insurance situation is unique. You should consult your insurance advisor for advice and information concerning your situation.