President & CEO, TrustSec Inc. & President, Cloud Security Alliance Canada
As one thinks about the impact and costs of a data breach within their organization, it can be more expansive than most initial estimates. It goes beyond repairing databases and other infrastructure or taking steps to remediate and fortify an organization’s security posture. For many sectors of the economy, there are regulatory and public opinion implications that may be significantly more difficult to fix or address. If there is a financial loss due to a data breach/ransomware attack, traditional insurance coverage likely will not provide appropriate financial reparations.
What coverage does cyber insurance provide?
Regardless of the legal and regulatory requirements, organizations have an obligation to keep their customer data protected. In the case of Protected Health Information (PHI) & Personally Identifiable Information (PII)), companies may face potential liability if the information is exposed in a data breach. A cyber-insurance policy will generally protect companies against liabilities and will reimburse for expenses related to a data breach (may include: legal costs, a digital forensics investigation /Incident Response, and crisis management). There are different kinds of policy coverages, it is important to work with your insurance policy stakeholders to determine you have the right cyber coverage in place.
Current cyber insurance market conditions
The threat landscape globally for organizational data has never been more at risk. For every dollar spent on cyber coverage, the insurance industry is paying our three dollars – in short, it’s a losing proposition. Insurance companies, in many cases, are partnering with clients to ensure that data protection and cyber security are top of mind for corporate policy-makers. The industry may support activities such as vulnerability assessments and penetration testing to ensure that a standardized security posture is in place. Given the current financial landscape for cyber insurance coverage insurance companies are faced with either supporting customers to ensure that rigorous data security measures are in place or they exit the market.
At the end of the day the customer must own the responsibility of providing reasonable and effective security measures in protecting organizational and client data and it will be incumbent on the insurance industry to practice due diligence in assessing whether an existing or potential customer is permitted to purchase a cyber insurance policy. It is important to note, this is an evolving model where transparency and framework compliance will help mitigate risk and provide a value proposition to both the insurance company and the customer.