Once a data breach occurs, assessing the damage can be one of the most daunting undertakings a firm can face. Finding out the cause of the breach is critical in repairing the damage, notifying clients and preventing it from recurring. In addition, on the heels of a breach many companies discover exactly what their Cyber Liability insurance policy will and will not cover. This can be a wake-up call for some, especially if they didn’t fully understand the terms of the policy, or if the purchaser of the policy didn’t involve his Chief Information Officer (CIO) or Chief Information Security Officer (CISO) in the process, neglecting to explain that certain protocols must be in place for coverage to kick in. For example, depending on the policy and the insurer, claims can be rejected for inadequate cyber security testing procedures and audits, outdated patches, an inadequate cyber incident response plan or inadequate backup and recovery process.
It’s important, therefore, that clients don’t purchase Cyber Liability insurance in a silo – that all pertinent individuals in the company are involved in the financial risk transfer discussion in order to understand what they are buying. In addition, with the appropriate people involved, a policy can be customized to fit the company’s specific needs rather than purchasing a one-size-fits-all plan.
In fact, research based on a survey conducted by Advisen in conjunction with the SANS Institute of IT personnel and insurance professionals revealed four key gaps that need to be closed for organizations to procure Cyber insurance policies that fit their requirements. These include getting the IT staff and insurance professionals to speak the same language using common vocabulary in describing the cyber risk profile of an organization; assessing and benchmarking risk in the same manner (qualitative vs. quantitative); bridging the communication gap that exists between IT staff and insurers and brokers as well as between the IT staff and the organization’s risk manager and between insurance underwriters and brokers; and making sure that IT is investing in the right things and that its insurance purchase is aligned with potential losses.
Companies can begin closing these gaps by having the CIO or CISO function as an integral part of the Cyber insurance procurement. David K. Bradford, co-founder and chief strategy officer of Advisen, offers this recommendation: “The CISO needs to be involved at a very early stage to map those exposures and to work with the risk manager to understand what those exposures are so that when the risk manager goes to the market he is able to explain it to the brokers who in turn are able to match it up with the insurers to select the correct coverage.” Indeed survey respondents underscored the importance of the CISO’s role in purchasing Cyber coverage, with one respondent saying, “Usually, if the CISO is involved, it indicates the client has a better handle on cyber risk.”
RPS specializes in Cyber Liability insurance and can assist you in securing a custom policy for your insureds, working together so that they understand what their policy will cover, the terms and conditions of the policy and what is required of them to help ensure their coverage will be responsive.