We are only just starting to wake up to the serious threats posed by the loss of data, and many remain in denial about how significant this risk is. Most of us who use the new technologies have only a rudimentary knowledge of how it really works. Credit to the developers of this technology for making it so simple to use that most of us can operate our devices intuitively and effectively without having to know anything about the underlying technology. I believe the ease of adaptation creates a false sense of security that makes us vulnerable to the criminal element.
So how does insurance fit into this picture? It is an insurance agent’s responsibility to inform our clients about what and how different insurance products help mitigate risk. In recent years insurance companies have created policies that deal directly with cyber liability risks. As time progresses and insurance underwriters gain experience and data associated with actual losses, these policies will continue to grow in sophistication and variety to meet specific needs of different applications and various situations. I have found that the process of discussing risk and applying for insurance provides excellent guidance for management in identifying potential weaknesses in their IT systems. In some cases it enables an organization an opportunity to change the way they do business in order to avoid risk while not seriously reducing their services. Cyber liability insurance applications vary from one insurance carrier to another as well as the nature and size of the organization and its use of data. I.E. Does the organization collect and store personally identifiable information (name, date of birth, social security number, address, zip code), personal health information, credit card numbers? Is the information stored on their local servers or in the cloud? Do they do consulting work and have access to the information of their clients? Are their files encrypted? What other safety protocols are used in their systems and work? These are just some of the questions addressed in an insurance application. Some applications are considerably more detailed than others. At least for initial quoting purposes most insurance carriers will accept a completed application even though it is a competitor’s application. I usually recommend using the most comprehensive application available because the more in depth the questions are the more instructive the process.
Very often the question is raised regarding the impact of either having or not having security protocols in place. Mature, sophisticated companies with complex systems and significant budgets for cyber security wonder if having strong security measures will lower the cost of their insurance. On the other hand, small organizations without the same resources may wonder if this insurance will be cost prohibitive or even available to them without adequate security measures in place. The answers may be surprising. Insurance underwriters use different criteria for evaluating these situations. Logically the mature organizations will have more experience and work with much larger and more complex databases. Consequently they will be held to higher standards of security. The expectation is for them to have sophisticated security measures in place and underwriters take this into account while determining how much insurance coverage they are willing to provide and how much they will charge for it. When evaluating smaller and/or younger organizations underwriters make allowances for lack of sophistication, experience and budget. They assume a certain lack of security measures but are still willing to provide insurance coverage. The difference is in the amount of coverage they will provide and usually the number of records they are willing to cover.
The security of our digital assets is important and the more we know about our vulnerabilities and risks, the more we need to consider the place of insurance in the mix.
Learn more about cyberinsurance and other issues important to small businesses at the National Cybersecurity Institute.