As our reliance on computer technology and use of the Internet continues to grow and change, so, too, do the risks of loss and potential liability arising from such use and from services provided to or from third parties. These risks include loss of stored data, theft of data, disruption of network capabilities, and disclosure of private information. Given the relatively new and evolving nature of these risks, the ability to transfer them via traditional insurance or contractual indemnity has been limited. However, as the nature of cyber risks have become more known, techniques and insurance products have emerged to treat them. Enter “cyber insurance” with data breach incident response services.
It seems as of late, I am seeing more and more new clients coming to me for assistance with securing “cyber insurance” due to contract requirements. Large organizations, whether they are financial institutions or the Fortune 500’s of the world are requesting that their contractors have the appropriate professional or “cyber” liability insurance in place to cover breaches of data security. Oddly most of these new clients of mine do not even collect or store sensitive data (they’re just “exposed” to the data due to the scope of their responsibilities as per the contract agreement) and yet they are being required to purchase cyber liability insurance in the event of a breach and or security incident.
Typically these contractors are given a “one size fits all” minimum required limit regardless of their size and scope of the data that they may or may not be collecting or storing. However, some of these large organizations that expect such requirements are realizing that their minimum coverage requirements may be over stated and that their “one size fits all” approach needs to be laxed. One client in particular, was able to negotiate her contract’s minimum required limit of $10m down to $1m, which in my past experiences with this undisclosed large organization was just unheard of.
Can lower limits be permitted when dealing with small contractors when they’re not collecting or storing (PII) or (PHI)?
In my opnion, yes! There are some very small vendors that may provide a service to organizations in which the scope of their responsibilities do not involve collecting, transmitting, transferring or storing sensitive data and the cost of obtaining standard limits may not be possible. Organizations should always evaluate the potential of loss, potential benefit to the organization for the service provided and finally, the vendor’s financial capacity to purchase coverage at reasonable rates. It is important to mention, however that the dollar amount of an agreement should never be the sole determining factor on the insurance.
It used to be sufficient for vendors to provide “proof of insurance” typically for Commercial General Liability (CGL) insurance when entering a contract. Needless to say, it only makes sense that if a vendor is exposed to sensitive data in the scope of their responsibilities as per their contract agreement that they provide proof of cyber/data breach insurance even if they are not taking any sensitive data off-site, collecting any data, or transferring/transmitting data. Especially if the vendor has remote access to the organization’s sensitive data which is why more and more large organizations are requesting their vendors to provide proof of cyber insurance. It only makes good business sense and protects both parties in the event of a data breach or security incident.
Cyber insurance policy with data breach response services offers other coverages such as (depending on the specific policies and endorsements) for:
– crisis management and customer notification expenses,
– credit/identity theft monitoring,
– privacy and security liability,
– privacy regulatory defense and penalties,
– computer forensics investigation,
– a “Data Breach Coach” (aka “Privacy” attorney) and
– pre-breach planning services
– business interruption expenses
– hacker damage costs and
– cyber extortion.
It’s important to note that all cyber insurance policies are not standard policies and vary by insurance carrier.
CYBER DATA RISK MANAGERS LLC is an Independent Insurance Agency specializing in Cyber Security and Data Breach response insurance. We offer solutions that help you quickly respond to cyber events and data breaches as well as to plan in advance for their occurrence. Given the ever changing nature of information assurance and compliance, you don’t want to be caught unprepared.
For assistance, call 1-(855) CUT-RISK Toll Free -or- complete the form below.