Lately, I have seen a lot of chatter on the topic of cyber security insurance. Whether you are a financial services company or a health care practice, you probably have thought about getting cyber security insurance coverage at some point.
For those of us that are not familiar with this category of insurance, the department of homeland security (DHS) defines it as follows:
Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage. A robust cybersecurity insurance market could help reduce the number of successful cyber attacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection.
DHS further states that many companies forego available policies, however, citing as rationales the perceived high cost of those policies, confusion about what they cover, and uncertainty that their organizations will suffer a cyber attack.
DISCLAIMER: Now, with the risk of being confused for someone selling insurance, let me state upfront that I am NOT an expert in insurance sales, insurance policy underwriting, litigation and legal matters . So, I am not going to be advocating for or against cyber security insurance. This is a personal decision (or, a business decision!) And, NO… Errors and Omission (E&O) insurance does NOT cover losses from cyber crime or data breaches. So with that said, I would prefer to focus my musings on the technology implications of a cyber security insurance policy.
For those of us that are considering taking the plunge, here are 5 exclusions that you MUST be aware of -
Exclusion #1 Breaches of protected information in paper files.
So, if you are still using paper files that contain Personally Identifiable Information (PII) of your clients, DON'T. Any breaches caused due to files stolen or missing will NOT be covered by any policy. The practice of storing paper files besides being highly inefficient and unprogressive, can lead to other potential disasters. I am sure we have all heard of at least one case where a disgruntled employee stole some client files with the intent to harm the employer that had legal custody of that client's information. Go digital. It will help you in more ways than one!
Exclusion #2 Claims brought by the government or regulators, including the Office of Civil Rights, the Department of Health and Human Services, and the Office of the Attorney General.
Any direct, in-direct, criminal or punitive damages that may arise as a result of a data breach or a hacking incident are clearly not covered by cyber security insurance. These include fines, restitution or any in-direct costs that arise from claims. So, what about legal defense? The answer depends on the case. Check with your attorney!
Exclusion #3 Vicarious liability, for data entrusted to a third-party vendor, when the breach occurs on the vendor’s system.
Now, this is a common fallacy - I have hired Acme IT solutions to manage by IT. Therefore, any breach event would be their problem, right? WRONG! Let me put this in perspective as best as I can (Again, please do NOT confuse this for legal advice) If you are a financial services company that has access to a client’s retirement accounts. The financial services company hires an IT provider to manage their IT. And, the financial service company experiences a data breach. Who bears the brunt of the liability? In all cases, it’s the financial services company. The IT provider may be pulled into the case depending on the circumstances. However, the onus is always on the financial services company to make sure that they choose their third party IT vendors wisely. Remember, the client went into business with the financial services company and NOT the IT vendor.
Exclusion #4 Unencrypted data.
What?! Yes, you read it right!
If you experience a data breach and the hard drive that the data was on was unencrypted, you are likely to be on the wrong end of the insurance claim stick. So, a good idea to encrypt all drives no matter how cumbersome it might be, including mobile devices.
Exclusion #5 Claims based upon negligent computer security.
Another, great one for the insurance company.
If a data breach happens, coverage will be denied for companies that failed to use their best efforts to install software updates or releases, or failed to apply security patches to their computer systems. So, the big question here is, HOW DO YOU PROVE THIS?
Furthermore, how do you pro-actively plan your cyber security strategy for your business? You don’t have enough hours in a day to get caught up on your core business and now this. Remember, there is no magic widget that will prevent cyber crime. It’s just a matter of time before are affected in some way. You can only manage risk and minimize liability. So, if you have to prove to yourself (or, regulators) that you followed best practices in cyber security, you have to pro-actively invest in and utilize tools to manage your cyber risk.
The good news is with services like Unify by Entreda, financial services firms can automate their cyber security policy enforcement on devices, apps and networks. And, it fits all budgets whether you are a business with one or a hundred employees!