Indicators show that data breaches and other cyber-related exposures are on the rise and the situation may become worse before it gets better.
According to the Identity Theft Resource Center (ITRC), from January through October 2015, there was more than 620 data breaches in the United States, resulting in 176 million records being exposed. Once a breach has been discovered, the tangible and intangible costs associated can be significant and affect a business’ long-term ability to survive. According to the 2015 Net-Diligence Cyber Claims Study, the average cyberrelated insurance claim amounted to $673,767 ($4.8 million for a large company and $1.3 million per claim in the health care sector). The study also reported the average cost per breached record amounted to about $964.
According to Richard Clarke, the former national coordinator for security, infrastructure protection and counterterrorism for the United States, there are two types of companies—those that have been breached and are aware of it and those that have been breached and just don't know.
It's clear that many companies stand to benefit when they prepare a cyber strategy before a claim occurs. Consider these steps when developing such a strategy.
- Identify assets. What constitutes a critical asset will often vary from company to company. For example, retail operations, health care facilities and higher education institutions might consider their customer data to be a critical asset. Manufacturing, energy and telecommunications firms typically consider their critical assets to be industrial control systems. Financial institutions might take a different view and identify the trading platform to be a critical asset.
- Outline a plan of action. Companies need to establish a plan of action and identify measures to help protect their assets. Have clients vet upstream and downstream supply chain vendors to inquire whether they employ cyber security best practices.
- Develop partnerships. Leveraging the assistance of a skilled service provider—professionals who have handled prior data breaches—may make dealing with a cyber incident an easier process. This might include a breach coach, who is typically an external legal counselor skilled in handling data breaches or a data breach resolution service that offers pre-breach assessment and education and post-breach remediation services.
- Train employees. Employees often pose the greatest internal threat to a company. While malicious employees play a part, studies have shown that more often than not, it's an honest employee who causes cyber incidents, either through human error or by mistakenly doing what the employee believes is right. Developing and distributing a cyber emergency response plan can be the first step, but the company should also train all employees and turn the response plan into a protocol—that is, make it almost second nature as opposed to an afterthought. It's important for everyone—from the C-suite down to entry level—to be onboard and know how the plan unfolds.
Consider Cyber coverage
Being prepared often goes beyond developing a cyber strategy—it may also include consideration of a cyber insurance policy as a risk management transfer mechanism. While most business leaders don't think twice about purchasing a commercial property or general liability insurance policy, when it comes to cyber, far fewer companies have secured this specialized coverage.
A robust cyber insurance policy generally provides first- and third-party coverages designed to address data breach exposures, including coverages for the following:
- Security breach expenses incurred to establish whether a breach has occurred, investigate the cause and scope of the intrusion and notify victims
- Actual loss of business income and extra expenses that a company incurs as a result of ceasing its web activities because of a virus or extortion threat
- Extortion threats and threats to introduce a virus, malicious code, or a denial-of-service (DoS) attack into the insured's computer system; divulge the organization's's proprietary information; inflict ransomware; or publish the personally identifiable information (PII) or personal health information (PHI) of the insured's clients
- Public relations expenses associated with restoring a firm's reputation following a breach
- The cost to replace or restore electronic data or computer programs damaged or destroyed by a virus, malicious code or DoS attack
- Security breach liability arising from the unauthorized disclosure of a third party's PII or PHI from within the computer system or if the firm's computer system spreads a virus to a third party
- Liability arising from programming errors or omissions that ultimately disclose clients’ confidential information held within the computer system
- Website publishing liability and media liability for errors, misstatements or misleading statements posted on a website that infringe on another party's copyright, trademark, trade dress or service mark; defame a person or organization; or violate a person's right of privacy.
Learn more about Cyber/Privacy Liability Coverage.