A recent NPR story reported that insurance companies are writing “about a thousand new cyber insurance policies every day.”
I decided to check in with a National Association of Insurance Commissioners (NAIC) spokesperson to find out — is cyberinsurance a passing fad or here to stay?
1. Do you have information on the number of cyberinsurances being issued? If so, what are the types of organizations that are purchasing these policies?
We do not collect information on the types of businesses purchasing cyberinsurance. While we collect data regarding the number of policies in force, there is some information missing regarding package policies and the inability to separate out some of the information. Roughly, 2.7 million cyberinsurance policies were written in 2017. We will have updated 2018 numbers this summer.
2. What are the top 3 things companies should keep in mind when considering whether to purchase a cyberinsurance policy?
Not all cyberinsurance policies are equal – it is important to purchase cyberinsurance through a broker that is well educated and can provide information regarding policy differences.
A business should assess their risks for a data breach and perform a risk assessment, as well as to determine their available financial resources. Things that can occur due to a data breach include legal fees, forensics investigations, regulatory fines and penalties, network downtime, etc.
Ask if there are value-added services offered as part of the policy. Some insurers offer free legal advice, access to information regarding privacy and security resources, as well as webinars to help educate businesses. These things can help to improve a business’s risk profile, which will in turn help to lower insurance premiums.
3. Why should cyberinsurance be a part of your breach response plan?
Insurance helps to defray the costs when a data breach occurs. When a business has an incident response plan in place, as well as a security team to execute the plan before a breach occurs, it provides a significant contribution to mitigating data loss and the corresponding fraud and identity theft issues that may follow in the event of a data breach.
4. What are the types of cyberattacks organizations should plan to protect themselves from?
There are many and the threat landscape changes frequently, so it is important to keep up with the current landscapes. One way to keep informed is to join an information and sharing analysis center geared toward the type of business.
Current cyberattack vulnerabilities include:
Ransomware, phishing campaigns, malware, distributed denial of service attacks (DDoS), Internet of Things vulnerabilities
5. In an organization, who generally is responsible for purchasing cyberinsurance — is it the CFO, corporate counsel or a cybersecurity expert on staff?
This varies by organization, some organizations use their CISO, smaller organizations may use other resources such as a cyberexpert on staff — ultimately there is likely a process where many members of upper management are involved.
6. How does one get more information about this issue?
There are a lot of websites that provide basic information regarding cyberinsurance, but the best thing is probably to involve a broker to help with information regarding current insurance policies available. The FTC and the Cyber Security Alliance both provide information for small businesses.
Karen Burke is the Director of Corporate Communications with Farsight Security, Inc..
