While you might think your general liability insurance policy will cover you for costs related to a data breach, its worth taking a second look.
The Lucile Packard Childrens Hospital at Stanford University was recently fined $250,000 by the California Department of Public Health for delayed reporting of a data breach. Regulatory concerns like these, along with concerns about the more straightforward implications of any security breach, are leading more and more companies to consider purchasing cyber liability insurance.
One such company is the Dallas, Texas-based managed hosting services provider NeoSpire, Inc. company president Mitch Gervis says he was surprised to learn that his general liability insurance policy didnt cover a wide range of issues related to security breaches. All sorts of things are not covered under your G&L so we started to look into this very nascent field of cyber liability coverage, he says.
Sean Bruton, NeoSpires director of security, says the company quickly learned that rates for cyber liability insurance are greatly affected by how secure your data is in the first place. Its like any liability insurance insurance companies are doing a risk assessment of who theyre covering essentially, their own security audits of you, he says.
And those audits can be very broad in scope. Theyre asking what sort of security controls you have in place everything from physical security to network security, intellectual property security and when they dont see a really mature, well-thought-out and proven security in place at the company, that of course is going to affect their rates, Bruton says.
That can include everything from how you handle backups, Bruton says, to how you handle communications with customers, or how you screen employees. They also go to industry experts when they look to create these security questionnaires, so you get some of the pretty advanced stuff, too, like youd see in PCI and some of the more involved security assessments, he says.
One key area that many companies miss, Bruton says, is the importance of reviewing logs and responding to security events as they happen. Most companies, from what weve seen, dont even consider their security logs at all, he says. Theyre used solely as forensic sources after somethings happened, as opposed to another source of monitoring for intrusions and potential breaches.
Once they understood the need for the coverage, Gervis says, the process of choosing a provider for cyber liability insurance was relatively straightforward. We did it based upon quality the rating of the insurance company as well as cost We had some people who put lowball bids in, but we werent that comfortable with their rating, so we went with a better-rated company, he says. It was a typical insurance decision.
And NeoSpire is now working with its customers to help them seek similar solutions. Generally, what our customers will do is theyll just forward along the security questionnaires that they get straight from the insurance companies and we supply all the supporting information, like our SAS 70 reports and also some industry standard security assessments like PCI reports on compliance, Bruton says. And well get back on the phone with their insurance companies if we need to, and make sure that they understand what components are outsourced to NeoSpire and how theyre being implemented for our customers.
Gervis says assistance like that can be enormously useful for the insurance companies themselves. Its not like car accidents or things like that, where you have years of historical data and you can really get good at underwriting and knowing the risk of it I think, being relatively new, itll take several years for things to get very standardized, he says.
The bigger issue, Bruton says, is that most companies just dont seem to be aware of the need for cyber liability coverage. Theyre absolutely aware of the need for security, but theyre not so much aware of the insurance side of it, he says. They think its covered by the G&L policy.
At the same time, Bruton says its worth noting that some companies do need this kind of protection more than others. These are liability policies, so theyre going to protect the organization against the risk of, primarily, being sued in the event that they had sensitive data that was compromised and then if youve got healthcare data, payroll data, stuff like that, youre going to have a lot of regulatory penalties, as well So if youre an organization that handles that sort of information in a fashion where its exposed to the risk of a breach, being on systems that are connected to the Internet, then its something you definitely want to consider, he says.
And while many companies may think theyre already fully covered by their general liability policy, Bruton says its worth taking a second look. Obviously, you want to make sure that your insurance will cover you If you have a breach, itll be twice as bad if you cant financially survive it, he says.
Jeff Goldman is a veteran technology journalist and frequent contributor to eSecurityPlanet. Follow eSecurityPlanet on Twitter @eSecurityP.