Understanding your exposure to technology and implementing baseline controls should always come before you consider insuring those risks.

What is a firewall? What would I do with a privacy policy? What is encryption and why would my company need to encrypt any of our data? How would I implement an incident response plan? How many personal health records do we have in our database? Do we do background checks? Who has access to our server room? Why do I need to answer so many questions just to get a proposal for insurance?

These are the types of questions that come up during the cyber insurance application process, and this is often the first time someone outside of the IT department has had to answer them. With the growth of the cyber insurance industry, now estimated to be almost $1,000,000,000 in gross written premium for 2011¹, risk managers, insurance agents and boards of directors are wondering why they now also have to talk to the IT department when discussing risk management and their insurance renewal.

A vendor mistake, administrator's misconfigured firewall or even an improperly negotiated cloud contract can pose a systemic risk to your corporation.

As regulatory expectations continue to be set higher (due to increased enforcement of the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act, attention of 46 different state notification laws that are enforced by State Attorney Generals, Fair and Accurate Credit Transactions Act) and consumer opinion is constantly being expressed in the form of class action suits, these situations continue to get more difficult to mine through.

Plaintiff attorneys' allegations addressing monetary damages as a result of privacy or security breaches are consistently being brought. Not having adequate controls is the common focus of such suits that follow a breach. Additionally, the bad actors that are trying to improperly gain access to your information will consistently focus on firms who lack simple/intermediate controls.

According to Verizon, 96% of attacks were not highly difficult and 97% of breaches were avoidable through simple or intermediate controls.² Your own data (account lists, legal documents, vendor agreements, price lists, R&D information, trade secrets) and client/patient information (personally identifiable information/health records) are what the hackers want.

Implementing baseline controls is the first element of fixing your cyber problems.

Several states have enacted laws that expect these baseline controls to be in place to protect their consumers. In Massachusetts, for example, there is a regulation (WISP³) that expects a legal entity holding personal information about a Massachusetts resident, to develop and implement a written information security program to protect that personal information. If this standard is not met, on top of $5,000 civil penalties of up to $5,000 per violation, the corporation could also encounter negligence based on litigation.

Like every state notification law that exists today, the law is based on the location of the consumer, not the corporation's place of domicile. In Nevada, since 2008, businesses have been required to use encryption when transmitting a customer's personal information externally(aside from fax)⁴. Additionally, PCI (Payment Card Industry) has required all corporations involved in a credit-card transaction to be compliant with varying degree of requirements based on size. For additional information, refer to https://www.pcisecuritystandards.org/merchants/how_to_be_compliant.php.

This is an important step for those companies dealing with credit cards. The 2012 Verizon Data Breach Investigations Report also found that 96% of victims subject to PCI Data Security Standards had not achieved compliance. This statistic shows the important of security controls being taken seriously.

Once your organization takes cyber security controls seriously and understands even the best controls don't isolate them from the exposures that exist, you should than take the time to discuss the insurance implications. Your insurance agent or broker can provide input on how current insurance coverage(s) could respond but also can get you in touch with over 30 insurance markets' underwriters who have dedicated cyber products and submission processes and are able to design coverage specific to your company. Additionally, most markets can help with loss control and ensure that you stay abreast of the current threat environment.

With adequate controls, a general understanding of the regulatory implications of a privacy breach and knowing the insurance consequences, you will be much better prepared if a problem with your company's technology does happen.

¹ Cyber Betterley Report 2012

² Verizon 2012 Data Breach Investigations Report

³ Massachusetts 201 CMR 17

⁴ Nev Revised Stat 597.970(1)2005