Companies can affect their exposure to data breach expenses by acquiring cyber-risk insurance, but only if the company selects coverage appropriate for its potential exposure, as determined by the company’s industry, involvement in e-commerce and size. The maxim caveat emptor (buyer beware) emphatically applies to the evolving cyber-risk insurance market.
Data breaches can seriously affect an organization’s bottom line, as shown by the reported costs of notification and remediation borne by Target, Michaels, eBay, and litigation brought by the Federal Trade Commission against Wyndham Worldwide Corporation and by Wyndham shareholders that followed the commencement of the FTC action. The mainstream news outlets often focus on the costs of a breach to a large company like Target, Michaels, and Sony, but other less publicized but costly breaches can threaten the well-being of companies of all sizes. While proactive measure such as effective security protocols, workforce security training and mock attacks to test system defenses can mitigate the risks of a data breach, they cannot eliminate the risk entirely, as safe driving cannot completely eradicate the risk of an accident Cyber-risk insurance offers a similar measure of financial protection, but with more restrictions.
Though more insurance carriers are entering the cyber-risk market the available limits of coverage, as a general rule, may be less than actual costs associated with a data breach. This is due, in part to the lack of historical actuarial data on cyber-risks (computers have been used in industry for far less time than, say, automobiles and machinery), which makes it difficult for insurers to set premiums to price the risk they are assuming. In addition, while certain ‘hard costs’ associated with a breach are quantifiable, such as notification to affected persons, credit monitoring for those persons and counsel fees, the potential loss to a company’s brand associated with a data breach can vary from business to business, even in the same field.
Many policies may exclude certain types of breaches, such state-sponsored attacks, exclude from coverage certain types of damage and will not cover regulatory proceedings, such as actions brought by the Federal Trade Commission or the U.S. Department of Health and Human Services with regard to HIPAA violations, without the purchase of a Regulatory Defense Endorsement at additional cost.
Optimizing a company’s cyber-risk protection involves preparation and documentation of information security safeguards to mitigate an underwriter’s concerns and obtain the most favorable premium, and a thorough review of a proffered policy with regard to whether its limits and exclusions fit the company’s risk profile. Should you need assistance in evaluating a cyber-risk insurance policy for your company, or would like to learn more about cyber-risk insurance, please contact us.