by April Runft
on July 09, 2019
Cyber Security & Data Privacy
Legal & Industry Education
Editor's Note: Since it was first published in March 2017, this information has only become more helpful for modern organizations who are trying to stay ahead of the pack when it comes to protecting their (and their clients') data. Take a look in case you missed it when it first appeared.
“Hoping for the best, prepared for the worst, and unsurprised by anything in between.” — Maya Angelou
Businesses are advised to insure themselves against all sorts of dangers, however unlikely. Cybersecurity has joined the ranks of acknowledged business vulnerabilities. That vulnerability is particularly strong among corporations who house confidential customer data as a matter of course, like health providers—and it’s also top-of-mind for law firms, who often hold their clients’ most sensitive business and personal information.
Insurance policies for cybersecurity have been around for the past decade, but they’ve picked up steam over the last five years as these groups seek to assuage their fears around data breaches.
Knowing this, we decided to investigate—unabashedly asking the rookie questions about cyber insurance so you don’t have to.
Retailers and healthcare companies are top candidates for cyber insurance coverage because they deal extensively with customers' financial and private information, but they aren't the only ones at risk. If your company employs error-prone humans, cyber risks apply to you (see next question)—even if you’re confident in your cybersecurity protocol.
“People are often hesitant to pursue a policy if they have a strong cybersecurity system in place,” said Erica Rangel, a broker at RT Specialty, a wholesale distributor of specialty insurance products and services. “But insurance isn’t a replacement for a strong system—it’s meant to enhance it.”
This article, written by Sean Cooney of Keesal Young & Logan, takes an in-depth look at how these policies can combine with other cybersecurity protocols to combat some of the most common cyber threats facing today’s enterprise.
We can lump causes into three main buckets: external threats, internal threats, and carelessness.
Privacy Rights Clearinghouse, a resource organization for US data privacy, has been tracking the 5,325 publicly reported data breaches in the US since the organization’s inception. According to a recent report, the three most common causes of data breaches are currently hacking, portable devices (lost, discarded or stolen), and unintended disclosure (sent to the wrong party or posted publicly on a website), accounting for nearly 70 percent of known incidents.
Physical loss of non-electronic records (think: a file folder forgotten on a bus) and insider activities (when someone with legitimate systems access intentionally breaches the system) add another 22 percent.
It’s interesting to note that payment card fraud incidents, like “skimming” from an ATM or cashier station, account for just 1.2% of data breaches, though they seem most prevalent in the news.
Yes, your company should have its own insurance policy. Software-as-service (SaaS) vendors generally have their own cyber insurance, but those policies only cover them. Also, while SaaS vendors are highly motivated to take reasonable steps to protect your data, their contracts often limit their liability.
Policy sizes and premiums vary and are driven by two major factors: revenue and record count.
Record count refers to the number of individuals who would need to be notified in the event of a breach. Annual policies can range from $1 million in coverage (at a cost of about $1,000) up to $100 million for large organizations. Policies typically cover two main costs:
Erica estimates there are about 30 different vendors offering cybersecurity insurance coverage.
“A few years ago, companies were just kicking the tires,” she said. “But now coverage is becoming a no-brainer.”
Here’s an example of what a cyber insurance application will ask for:
“Members of upper management—typically the CEO or president—along with IT department reps, tend to initiate the process of securing an insurance policy,” said Erica. “Boards of directors are often involved, too, given their directive to protect companies’ best interests.” Of course, if a company has a general counsel, chief security officer, and/or compliance officer, those personnel may also be involved.
Depending on the company’s size and structure, there may be other roles looking out for these concerns. As Judy Selby of BDO advises about cybersecurity in general, “It doesn’t necessarily matter which leader claims ownership—only that someone does.” Having a knowledgeable, high-quality insurance representative is also critical.
What happens when a company suspects a breach? How often are companies making claims on their policies? We’ll consider these questions and more in a future blog post. Do you have other questions? Let us know in the comments below.
In the meantime, it's comforting to know that some of the processes and tools you already have in-house for e-discovery can help you tackle cybersecurity readiness, too. Check out this Relativity Fest session recording to learn how.
April Runft was a member of the marketing team at Relativity, where she specialized in content development and customer advocacy.
Now in Relativity Analytics: 3 Customer-Driven Enhancements
4 Ways to Move e-Discovery Data That You May Not Know About