11 Steps to Crafting a Cyber Insurance Policy
By Eduard Goodman
In the cyber insurance business, there isn’t a one-size-fits-all solution and there’s a good reason for that.
Each organization has a unique risk profile that may not fit any traditional formula.
It will have a particular combination of needs, and the resources it can (and will) devote to cybersecurity won’t necessarily match the average of other companies with similar characteristics.
Developing the right policy for clients requires that brokers and underwriters review where risks exist, where risks can be reduced and where additional mitigation strategies make sense.
Considering these 11 key factors will help build a cyber insurance policy that fits each client’s needs and gives them the coverage that’s just right for them.
While cyber dangers appear in every vertical, some industries present greater risks than others.
In some cases, the sector may have a long history as a target for hackers.
Organizations operating in the financial industry fit this profile, and the type of protections the policy should include are influenced as a result. Other markets, such as health care, are newer entries to the world of cyber crime, but offer tantalizing rewards to cyber thieves.
In each case, the risks common to the industry should be considered as the policy is being developed.
2. Types of data handled
A client’s sector may dictate the type of data being managed but it’s still important to identify where sensitive information is part of the picture.
Personally identifiable information and protected health information are valuable on the black market, as is financial data.
These information types are often covered by regulatory requirements and specific breach response laws, putting businesses under additional obligations when it comes to the security measures they must deploy.
Additional penalties could also be imposed if an exposure occurs involving certain data types. Policies should reflect these factors.
3. Presence of payment card data
While financial data is prized by cyber thieves, the presence of payment card data also places a business under the oversight of payment card issuers and the merchant agreements that go along with those relationships.
Huge financial assessments may be levied by a card issuer against a company that experiences a payment card data breach, a risk that must be factored into the development of any cyber policy.
4. Adoption of data breach response and information security plans
By taking these steps, brokers know that the business has participated in the kind of preparation and training that enables them to have intimate knowledge of their risk profile.
Companies with these plans in place know how data protection works, which vulnerabilities cyber thieves look for and how the organization can come together to implement and maintain effective security protocols.
Data response and protection plans are often key variables in a cyber policy’s final structure.
5. Third-party relationships
One trend that directly affect a business’s cyber risk profile is the increasing use of third-party vendors for everything from operational support — payroll processing, for example — to cloud storage and computer power.
These outside business partners don’t always have the same stringent data protection measures in place, potentially putting a policyholder’s information at risk. The type of relationship is important to consider (some bring more risk than others) as is the vendor’s use of security technology and best practices.
6. Level of employee training
In-house personnel are a company’s first line of defense when it comes to cybersecurity.
A business that has deployed a robust training program is better protected against some of the most common attacks, such as phishing e-mails and similar schemes where success relies on social engineering or simple human error.
Well-trained employees are also better at identifying vulnerabilities and responding quickly to suspected exposures, both of which may reduce the company's risk profile.
7. Participation in risk assessments and penetration testing
A business that looks at its risk profile proactively is much more likely to be committed to embracing security best practices and quickly addressing weaknesses.
The results of past assessments can also be used to identify where risks still exist, which strategies may contribute to a lower level of risk and where the cyber policy can provide critical coverage.
8. Up-to-date security tools
Security technology, including firewalls and anti-virus software, can be expensive.
Once that investment is made, does the company put in the effort to keep it current? Security patches should be up to date and software that is no longer supported (think Windows XP, still an extremely popular platform for many companies) should be replaced.
Obsolete tools and unpatched software should be big red flags when putting together a cyber policy.
9. Use of advanced security measures
Consider if the business has deployed tools that go beyond baseline security protocols.
One common application is the use of multifactor authentication for customers and employees who log in on secure web pages. Another is encryption applied to data stored on thumb drives and other devices that are prone to loss or theft.
These measures may affect the type of coverage the business needs.
10. Data security focus involving more than IT
Inexperienced companies often assume that data privacy and protection efforts are the sole responsibility of the IT team.
It’s a mistake that can greatly increase the company's risk profile because it opens the door to all types of cyber attacks and even inadvertent exposures triggered by the employees themselves. A culture of data security must be nurtured across the entire organization, with ongoing support for data protection efforts provided by experts in many different departments.
Consider how broad the base of data protection is when developing a cyber policy.
Large enterprises may tempt cyber thieves with their voluminous databases and sprawling networks, but small businesses are increasingly popular targets for hackers.
Companies at the smaller end of the scale often handle sensitive data without the technical expertise or funding available to deploy the latest security measures. Consider where risks plague big companies — their immense infrastructure can make tight security protocols difficult to enforce — and their smaller brethren, where the lack of resources and savvy may put them at a disadvantage.
This article originally appeared on Property Casualty 360. Eduard Goodman is chief privacy officer for CyberScout.