Data breaches and security incidents are a significant risk for organizations and some are using cyber insurance to transfer the risk similar to how many other business risks are transferred. If you are considering cyber insurance, the first step is to identify the cyber risks you are facing to determine if they fall within your risk tolerance level or if they need to be addressed. Security controls may need to be implemented to bring risks to an acceptable level. There may be other risks where it is better to transfer the risk through cyber insurance.
Cyber insurance is still a relatively new concept so the offerings differ greatly between vendors. Check with your vendor to see what they will cover. Some of the costs of a data breach or security incident include:
- Notification expenses such as those required under HIPAA
- Investigation costs
- Computer forensic services
- Data restoration services
- Public relations costs
- Loss of business during the interruption
- Loss of business following the interruption
- Regulatory fines
- Credit monitoring for impacted individuals
Insurance providers will want to know how risky a policy is so they will most likely have some questions on your security procedures before issuing a policy. Cyber insurance is not a solution. It needs to be pursued as part of the overall security governance of the organization along with security controls and other risk mitigation activities.