What CIOs Need to Know about Cyber Liability Insurance
As we are all aware, data breaches have reached epidemic proportions globally and most CIOs are saying it’s not a matter of if we get breached but when. Many of those breaches go unreported and that means that the victim has no idea a data breach occurred in the first place.
Large corporations bought cyber liability insurance to protect against things they claimed their software said it would do but couldn’t. Over time, that liability insurance evolved to cyber liability. Nowadays, when a data breach occurs, companies can lose millions of dollars in lost revenue and suffer insurmountable reputational harm to their global brand. To minimize the impact and protect against financial harm, more and more companies are purchasing cyber liability insurance.
However, industry experts are questioning what these policies really cover and if separate cyber insurance is even necessary. At a minimum, there are misconceptions on the topic. In some cases, buyers overestimate what activity is covered – such as thinking that it covers the entire breach lifecycle and expense, which is not the case. Perhaps most worrisome is that some CIOs think that insurance will allow for reduced spending and less robust security programs. Yet losses that are the result of poor security practices or failure to disclose issues are not covered.
Cyber liability insurance is no substitute for security best practices.
Types of Cyber Liability Insurance:
• Errors and Omissions: It covers claims arising from errors in the performance of your services. This can include technology services, like software and consulting, or more traditional professional services like lawyers, doctors, architects and engineers.
• Media Liability: These are advertising injury claims such as infringement of intellectual property, copyright/trademark infringement and libel and slander. Due to the presence of the internet in businesses today, technology companies have seen this coverage migrate from their general liability policy to being bundled into a media component in a cyber policy (or a separate media liability policy). Coverage here can extend to offline content as well.
• Network Security: A failure of network security can lead to many different exposures, including a consumer data breach, destruction of data, virus transmission and cyber extortion. Network security coverage can also apply if you’re holding trade secrets or patent applications for a client, and that information is accessed due to a failure of your security.
• Privacy: Privacy doesn’t have to involve a network security failure. It can be a breach of physical records, such as files tossed in a dumpster, or human error such as a lost laptop, or sending a file full of customer account information to the wrong email address. Companies have also faced liability from returning a photocopier with a hard drive that contained unwiped customer tax records. A privacy breach can also include an action like wrongful collection of information.
While it has some very clear benefits, having cyber liability insurance is not an excuse to have poor cyber security solutions in place, just like having auto insurance doesn’t give you license to drive recklessly. Cyber insurance is not about transferring the responsibility of securing your organization to an insurer; CIOs must still be in compliance and have standard safeguards in place.
Regardless of your cyber liability insurance policy, remember these simple security practices:
• Write and put in place a data breach response plan in the event of a breach
• Conduct an external penetration test to highlight potential areas to address
• Keep all your systems and software patched up
• Implement strong access controls to reduce the use of stolen credentials
• Have security controls in place that will reduce your CLI premium and strengthen your security posture
As a CIO, you will want to demonstrate to your insurer that your organization did all that it could to protect itself and its assets effectively. Cyber liability insurance is no substitute for security best practices.