Recently, Advisen published Cyber Liability Insurance Market Trends. The report covers survey responses from 500 insurance professionals including brokers, carriers, and risk managers.
Not surprisingly, Advisen found that there is an increasing demand for cyber insurance, and a need for better education throughout the industry on cyber liability issues.
When asked about obstacles to selling cyber coverage, 75% of respondents cited a lack of understanding about the risk of exposure. Brokers are frustrated by IT staff who feel their systems are invincible, and senior management who are in denial about their vulnerability to cyber attacks. Respondents felt that the insurance industry needs to provide better educational information to clients to foster a deeper understanding of the topic.
The threat is real
Each year, Symantec publishes an analysis of cyber threats globally, delivering an outline of what the major threats are, where they’re coming from, and who is being targeted. An infographic that supports the 2015 Internet Security Threat Report delivers some unsettling findings – advanced attackers targeted five out of six large companies in 2014, representing a 40% increase over the previous year and small- to midsized businesses were the target of 60% of all attacks.
Almost no business is safe from a cyber attack. The best hope that businesses have is to invest in constant upgrades, instill best practices throughout the organization, and develop response scenarios to follow whenever a vulnerability or an attack is detected.
A report published by the Harvard Business Review, Aggressive and Persistent: Using Frameworks to Defend against Cyber Attacks provides further evidence that executives have a high degree of awareness about cyber attacks. They’re also looking for more proactive ways to deal with threats. The report is an excellent starting point for establishing a better approach to cyber security at your company and provides some helpful guidance to consider as you build your cyber liability insurance policy.
Are you insured for a cyber attack?
Building the right approach to your cyber liability coverage is critical. One of the issues we see in the marketplace is companies that have inadequate cyber liability coverage. Policies are out of date, or contain very specific clauses about practices the insured needs to maintain in order to meet coverage guidelines.
Consider the healthcare industry, for example. Hospitals must adhere to HIPAA regulations and other high-level guidelines, particularly when it comes to IT best practices. However, if a low-level employee in the IT department fails to follow a specific practice as outlined in the insurance agreement – which he or she has most likely never seen – and that leads to a security breach, the hospital may be left without coverage.
The cost of cyber attacks
In 2014, IBM published the Cost of Data Breach Study: Global Analysis, and found that the average cost of a data breach to a company was $3.5 million. For a small or midsized firm, this can be a staggering figure, particularly if nuances in your coverage could prevent you from being able to collect on a claim.
As you work on boosting security and creating an insurance safety net, consider some of these important coverages:
- Do you have a high deductible on your cyber liability policy, and could you benefit from a deductible buy-down?
- Does your policy contain a per-claim deductible, and if so, should you consider an aggregate stop loss provision?
- What do your policy’s terms and conditions look like, and are there any holes or restrictions in coverage that should be addressed?
- Does your policy cover added expenses you may need such as crisis communication costs, legal fees, and hiring outside firms to assist with the fallout of a cyber attack?
Put your plan in place
As cyber attacks become more frequent, the likelihood that you will be the victim of an attack increases. Do your best to prepare your company and to foster best practices throughout your organization – even if the cost is a bit painful. Work with professionals and outside consultants to make sure your approach to security is fresh and up-to-date, and conduct an annual review with your insurance advisors to make sure your insurance policy is still relevant and that your practices live up to the expectations set out in the policy. If you feel you need additional coverage that your carrier can’t provide, you should consider forming an enterprise risk captive to create a safety net to cover your company in the worst case scenario. Contact us for help with weighing your options.