10 things to consider before purchasing cyber insurance
May 7, 2012 in Medical Technology
Data breaches have increased dramatically within the past few years, giving way to new trends within the healthcare space. Given their unpredictable nature, data breaches are hard to budget for, but according to a recent report by ID Experts, one aspect of an overall risk management strategy is becoming increasingly important worth exploring: cyber insurance.
“Evaluating the need for cyber coverage is not a one-person job,” read the report. “Companies should discuss their data breach risks and risk management options cross-functionally, involving leaders from IT, risk management, privacy, compliance, and legal departments. Working together, executives can more accurately quantify risks, evaluate options and develop a cost beneficial analysis to determine if cyber insurance is the right investment for their needs.”
The report describes 10 things to consider before purchasing cyber insurance.
1. Assess the risks for a data breach. According to the report, each company needs to evaluate its overall risk of experiencing a data breach, and the sensitivity of its data. Some factors to consider, it continued, includes the applicable rules and regulations, the amount and type of data that a company handles, the prominence of its brand, and the use of mobile devices and number of third-party contractors with access to sensitive data.
2. Determine the financial resources available. In 2011, the Ponemon Institute reported that cyber crimes cost organizations between $1.5 million and $36.5 million per data breach, the report notes. “When considering data breach risk management options, organizations should determine if they have the financial resources to cover network downtime, legal fees, forensics investigations,” it reads. Additionally, it’s important to keep in mind the costs associated with identity monitoring and recovery services, regulatory fines and penalties, and expenses stemming from a class-action lawsuit.
3. Understand current insurance coverage. Most organizations hold general liability insurance or property insurance that provides coverage for tangible property only, such as like replacing stolen laptops, according to the report. “However, the liability policy may not cover the cost of a hacker intrusion that results in the breach of customer data,” it reads. Traditional policies, it continued, also don’t overtly cover first-party breach notification costs. “These gaps could leave an organization responsible for the full cost of a data breach response. Cyber insurance can be used to help cover those costs.”
[See also: Data center help to cost CMS $28M.]
4. Evaluate policy options carefully. Typically, cyber insurance provides coverage for liability for data breaches, remediation costs to respond to the breach, and regulatory and legal fines and penalties. “However, the limitations on the coverage can vary widely based on the carrier, the type of industry, and the company’s risk profile,” the report reads. In turn, the terms of a cyber insurance policy may restrict the way an organization responds to a data breach. “For instance it may cover credit monitoring services for a breach of protected health information,” for which, it continued, it’s useful to monitor a patient’s medical identity.
5. Perform a risk assessment. Performing a comprehensive privacy and security risk assessment can help an organization identify, evaluate, and mitigate gaps in its security and privacy program, according to the report: “Lessening those gaps can reduce breach risks and lower exposure if a breach does occur.” Having a risk assessment on file, that’s third-party documented, can help speed up the underwriting process and may even lower insurance premiums.
Continued on the next page.