November 18, 2015
5 Questions to Ask About Cyber
by Michele Tran
Not all cyber policies are created equal, so here are five issues to consider when purchasing coverage, to avoid nasty surprises.
Cyber security placed first in a list of emerging casualty risks among insurance buyers, according to a survey of 135 insurance professionals conducted by London-based specialty lines broker RKH Specialty. 70% of respondents put cyber risk in the top spot. According to a Best’s News Service article about the survey, healthcare and retailers have been the major buyers. Logic will tell you that the reason for the growing demand for specialized cyber coverage is the simple fact that losses stemming from cyber-related attacks and business interruption can be catastrophic.
Of course, not all policies are created equal, so here are some things to consider when purchasing cyber security coverage to help ensure that policyholders are adequately protected from the losses after a cyber attack.
#1 If your business has a cyber attack, will your operations cease or be interrupted? If so, you need to make sure the cyber coverage you procure has “business interruption coverage.”
#2 Does your cloud contract stipulate that your third-party cloud vendor must meet all the federal regulatory requirements in encrypting personally identifiable information (PHI) and healthcare records? If not, you need to verify how the third-party vendor is protecting your employees’ and patients’ information from cyber attacks and whether its cyber coverage will protect you.
#3 Do all mobile devices – such as smartphones and tablets – have proper encryption software to protect personally identifiable information and healthcare records? HIPAA security regulations require healthcare providers to use encryption as a means of protection for their patients electronic PHI. If they don’t do so, healthcare providers can be heavily penalized by federal regulators. Most cyber policies have a stipulation that, to be covered, all insureds must adhere to the most recent encryption requirements for electronic protected health information (ePHIs).
#4 Does your legal counsel have experience responding to cyber attacks? Businesses often have their own attorneys and use them frequently for everyday operations. However, the likelihood is that the in-house counsel does not specialize in the legalities of cyber attacks. Having an attorney who specializes in data breaches can make the process run more smoothly and ensure that important details are not missed or mishandled – such as notifying regulatory agencies, properly setting up notification of employees and patients as well as advising PR staff on all media inquiries and other external communications.
#5 Does your business have an expert consultant they can call on to make recommendations on cyber coverage or risk management strategies to reduce the risk of attacks – or to help manage the crisis after an attack? Enlisting the help of a cyber-liability expert and mapping out a plan can help mitigate the potentially catastrophic losses related to a data breach event.