A recent survey by Chubb Insurance and Marsh found that businesses fail to appreciate cyber risks or integrate their approach to threats to network security into their overall risk management framework. I agree with that conclusion and would add the following points:
- There is no substitute for a robust data security protocol. Cyber insurance may reimburse certain of your losses for data breaches, but it cannot restore your business’ reputation.
- Cyber insurance offers carefully defined policy benefits that may or may not suit your business, so take care in evaluating the policy. The insurer will typically dictate the way your business responds to a data breach, which may be more in the interest of the insurance company and less in the interest of your business. For example, in the event of a healthcare data breach (let’s say your business provides home nursing services), the policy may cover only credit monitoring services for the patients whose information was compromised, when medical identity monitoring would better meet your needs.
- Also understand that the defined breaches eligible for coverage are often limited. For example, the cyber insurance coverage may not cover a data breach caused by a third party, such as a cloud computing service provider, even through the primary organization, your business, is liable.
- Finally, review your existing policies carefully as cyber insurance may be duplicate of certain provisions of your existing business owner’s policy.
Airmic’s Review of Recent Developments in the Cyber Insurance Market reported that cyber insurance is now a more cost-effective risk transfer mechanism than it has been in the past. I look forward to reviewing the new provisions for covering cyber risks when my policy comes up for renewal. Meanwhile, I will be continue to be vigilant on network security.