by Brian Lapidus of Kroll –
Cyber liability insurance is getting more attention these days, thanks to some high profile breaches and a growing awareness of the costs associated with cyber risk. And the timing couldn’t be better, as costs are indeed reported to be rising.
Perhaps one of the biggest obstacles to offsetting the costs of data breach is simply defining those costs in the first place. They can range from direct costs (discovery, letter mailing, etc.) to indirect costs (lawsuits, regulatory fines, etc.), and even include costs associated to victims (credit services, for example) and the general public (loss of consumer confidence and future opportunity).
Because of all these varied and potential costs, it is very important to understand exactly what a cyber policy can and can’t do to mitigate financial risk.
These policies are separate from commercial general liability, which almost never covers data loss. That’s because data is not tangible property; therefore, data loss does not generally meet the requirements for direct physical loss. A cyber liability policy typically covers a number of cyber-related risks, such as network security (destruction, corruption, deletion of data, etc.) and even cyber extortion. The costs associated with data breach generally fall under “crisis management,” also covered by cyber policies. Crisis management is one small portion of an overall policy and typically comes with a cap on coverage.
While it’s a good thing to have, cyber liability insurance is not an alternative to employing risk management measures, nor was it ever meant to be. Your business likely has a policy to protect against a fire, but this does not mean you shouldn’t take the additional steps of installing smoke detectors and sprinklers in the building, as well.
Insurance offsets the costs a business would face in the wake of catastrophic loss, and any business that’s experienced a massive breach understands just how catastrophic data loss can be. Heartland Payment Systems experienced one of the largest data breaches in U.S. history in 2007, and by 2010, it was still reporting breach-related expenses, which by that time had grown to more than $130 million.
One of the problems with managing the costs associated with a data breach is the complexity involved. The true cost of a breach involves more than just mailing a notification letter. Breach management can involve forensic investigations, legal proceedings, regulatory fines and audits, and customer remediation offerings like internet or credit monitoring.
This is to say nothing of the cost of managing reputational harm and loss of business. All of these have a price tag, and it can be a very difficult task for an organization to determine true costs.
What follows are some basic steps that you can take whether you have a cyber policy or not to minimize your financial risk in the event of a breach:
Utilize an ongoing breach preparedness program - Typically, any carrier will require some type of risk assessment before a policy can be written. This is because a risk assessment will establish a security baseline for the organization. However, most policies also include conditions related to the ongoing security controls that a company employs and, as you might expect, a failure to meet those conditions could result in loss of coverage. Because of this, breach preparedness programs can be a valuable asset in almost any circumstance. Be sure yours includes in-depth risk assessment, incident response plan assistance, and ongoing data security controls. A good program will also offer ongoing assistance and consultation during implementation.
Engage outside counsel for advice on litigation and regulatory expenses - Privacy law is an ever-changing and relatively young discipline, and it’s exceedingly difficult to navigate the risks related to legal or regulatory issues without the aid of able counsel. For this reason, it is advisable to seek legal counsel on the potential costs related to litigation fees, regulatory fines and e-discovery before a policy is in place. An understanding of related legal and regulatory obligations will aid in determining how much insurance coverage will be necessary to offset the associated costs.
Plan to conduct a forensic investigation - Look for a policy that will cover expenses related to data forensics. This is a key component to determining whether a breach has occurred, how it occurred (and whether it is ongoing), and the scope of the incident. We’ve seen several cases where the number of records thought to have been lost was substantially reduced after a thorough forensics investigation. This can lead to less costs in terms of notification and remediation.
Further, such an investigation ensures proper discovery protocols are in place to collect and preserve evidence in the event an audit or lawsuit develops. A thorough investigation also can reduce your chances of regulatory fines if, for instance, your organization has demonstrated intent to identify risk of harm to your affected population.
Employ delivery optimization techniques to cut your notification costs - Whether you have a cyber policy or not, there are definite opportunities for cost savings related to breach notification. For instance, utilizing a mailing list that’s inaccurate, out of date or incomplete can make notification a time consuming and costly endeavor. Cleaning up your mailing list to eliminate duplicates and ensure addresses are accurate will not only optimize your delivery, it will ensure you’ve demonstrated best efforts to provide all those affected with a timely notification.
We have done this for numerous clients and we consistently see mail list reductions of five to 15 percent simply by eliminating duplicate entries. If you have a list with 150,000 entries and you manage to reduce those by 20,000, it can significantly affect bottom line costs.
Brian Lapidus is chief operating officer for the Information Security, Forensics and Data Breach practice of Kroll.