Cyber insurance has come a long way, but it still has a longer way to go due to today’s evolving technologies, and security vulnerabilities, that either exist today or are yet to come. While many companies have purchased cyber insurance, many are still on the sidelines, for reasons of their own. Cyber insurance is certainly not a one-size-fits all solution, which is why today’s company has their own reasons on why or why they have not yet purchased a cyber insurance policy. Though in many regulated industries, regulators, shareholders and investors have begun asking why a company does not have cyber insurance. Whilst cyber insurance is not a mandatory insurance purchase, for many companies, it’s only a matter of time in which they will need to explain to a third-party why cyber insurance was not purchased by the company.
For those companies that have purchased or are considering purchasing cyber insurance, there are many questions that arise in the pre-purchase and post purchasing phase about how the company must comply with data security measures. Cyber insurance premiums more often than not, come at a high cost and are being considered as a company investment. Therefore, when an incident happens, due to the high premium and company investment, a company is naturally concerned that there will be no question on whether or not the company was not compliant in their data security. While cyber insurance has evolved over the past decade, and has fast become a way for companies to mitigate their cyber risk and incident response, it is not to be seen as a replacement for data security compliance. This is why it is crucial to understand what your company must do in order to secure its sensitive data before and after a cyber or data security incident, and implement the most appropriate cyber and data security protections for your company’s needs.
Indeed, cyber insurance carriers realize that cyber and data security incidents will and do happen. However, it truly matters what your company is doing to minimize the chances in preventing an incident from happening and minimize the risks when one does happen. As with any type of insurance, just because you have it does not mean you’re instantly covered for every and any type of incident.
Today there are many brokers pitching cyber insurance, however, many lack the experience and expertise that’s needed to help and guide a company through making an informed purchase, all the way through to seeing a cyber insurance claim processed. Would you go to your general healthcare practitioner for a medical procedure or solution that requires a specialist? Most likely not. Taking the aforementioned into consideration, if the solution costs the same, 99.9% would opt for the specialist. Nonetheless, it is important to work with an experienced cyber insurance broker who has real experience and specializes in cyber insurance, and can help and guide your company from its cyber insurance purchase through its cyber insurance claim.
Cyber Insurance Compliance Insights from FTC Investigations
There are many resources available to companies today that are concerned about data security. There is one in particular, that over the new few months I’m going to highlight here, in future blog articles. The new resource I will be reflecting upon is a blog “Stick with Security: Insights into FTC Investigations” that will be published by the FTC every Friday for several months on lessons learned from data security investigations that were closed without formal enforcement action. While the FTC blog is certainly not a be-all and end-all solution for mastering data security compliance, it can certainly be deemed as providing valuable compliance insights into how the FTC thinks, and what makes them either close an investigation or issue a formal enforcement action.
Companies under the FTC’s jurisdiction—from internet giants to small-medium sized businesses continuously struggle with what level of data security they must provide to convince the FTC that their efforts to protect personal data are reasonable. The FTC continues to rely on the FTC Act’s Section 5, a catch-all prohibition against unfair and deceptive trade practices, to carry out data security compliance actions.
The weekly FTC blog will use a series of hypotheticals to take a deeper dive into steps companies can take to safeguard sensitive data in their possession. The FTC blog will offer easy-to-apply tips to help your company not just start with security, but stick with security to bolster your defenses.
According to the FTC, there are lessons to learn from investigations that their staff closed with no further action. While the FTC will not disclose the identities of the targets of those matters unless there has been a public closing letter, they feel there is more they can do to explain for other companies the general principles that informed their thinking when they decided to close those investigations.
The FTC states that a preliminary question they often get from businesses is if there are recurring themes that run through the investigations that are ultimately closed without law enforcement. Nonetheless, this should be a weekly read for every company leader and C-suite executive.
Besides the FTC’s weekly Friday blog, another valuable resource worth reviewing is the FTC’s [PDF] guide: Start with Security: A Guide for Business.
The FTC published their first “Stick with Security: Insights into FTC Investigations” blog article on July 21st. Please be sure to check out the recent articles on their blog, and check back here in the upcoming days, weeks and months for cyber insurance compliance insights gained from the FTC weekly blog articles.