Cyber space has become a dangerous source of crime and disruption. Data breaches are increasing both in terms of size and frequency, and companies need to rethink their risk strategies, especially when it comes to cyber security and insurance protection. Businesses can no longer simply rely on existing traditional insurance coverages such as general liability or property, and should be looking at the procurement of standalone cyber policies, not only to ensure the organisation is fully protected financially, but also the risk mitigation services that frequently accompany such policies which allow companies to become more cyber resilient.
Cyber risk is still a difficult area for many companies to get their arms around. It is constantly evolving, is full of complexities, and involves intangible data, which presents a challenge for many companies. However, boards are starting to get more involved and taking a high-level and holistic approach to how cyber matters are handled within organisations – and this is good news.
Changing regulations are also having an impact on the cyber landscape. In Europe, the recently enacted GDPR has spurred a spike in interest in cyber insurance policies. The U.S. has long been considered to be a more mature market and has had data breach notification laws for many years, but it is worth remembering that every state in the U.S. has a slightly different variation on what is required in terms of notification. This can create a significant challenge for international companies which operate on a global basis, as the laws of the U.S. and E.U. could apply, but also laws in Australia, Singapore, and Mexico to name a few. Brazil will also have a new law going into effect in early 2020 – and the numbers continue to grow. It can therefore be a challenge for companies to understand what laws have to be complied with, and to whom and how notification has to be made. A standalone policy will provide the services of a network of experts to enable a company to follow that compliance process.
"It’s crucial that businesses not only protect themselves from cyber threats, but also adopt a mindset of resilience to minimize any impact."
Lori Bailey, Global Head of Cyber Risk
From an insurance standpoint, there is a growing awareness that traditional property-casualty policies were never designed for cyber-related risks. Standalone cyber policies, on the other hand, have been specifically designed to respond to these incidents and address the expenses and costs associated with cyber related risks that a business might incur. For example, a typical cyber policy will afford coverage for privacy breach costs which are generally incurred as a result of data breach notification laws, such as credit monitoring expenses, legal expenses, public relations and crisis management, and forensic investigations. Insurers also have relationships with expert firms that are well versed in cyber incidents. This is crucial because, every hour, every minute, is of the essence when responding to a breach.
But there is still an education process required around cyber policies, especially for mid-market companies which often have to weigh the cost relative to the scope of coverage provided. That said, publicity around cyber events has undoubtedly increased awareness of the need for cyber policies. Cyber attacks are increasing in terms of frequency and size, across all regions and all sizes of companies. There has been a significant surge in data breaches since 2015*, and the scale is getting much bigger in terms of the number of impacted records and the magnitude of business interruption.
We work with companies to help them become as cyber resilient as possible. This is partly about helping them to protect their data and their networks as best they can. But it is also about ensuring that they are fully prepared in the event of a cyber incident, and have embraced cyber resilience at all levels of the organisation, and continue to improve and build their resilience over time.
There are three main elements to a successful cyber security strategy. First, it is about building a culture of awareness, making sure that the board of directors is engaged in the process and is setting the tone at the highest level. And making sure that this filters down through the C-suite, to senior management, all the way down to the employees, as they all play an important role in keeping themselves and their company cyber safe. Secondly, it is about adopting a mindset of resilience. You can educate employees, and have the best firewalls and intrusion-detection software, but at the end of the day an incident can still happen that affects the network and causes a data breach or a disruption. In the event of an incident, how quickly can you get back up and running? Organisations that have adopted that mindset of resilience are the most successful in handling any sort of cyber incident.
Thirdly, it is about practicing – have a business continuity plan, a disaster recovery or incident response plan in place, but also practice it on a regular basis, engage in drills and exercises and different scenarios, just as you would with a fire drill.
Companies now have a much greater appreciation of the coverage included in cyber policies and the services that wrap around these products, whether that is pre-breach mitigation or post-breach response. These are important to ensure that a company is prepared for a cyber incident. It is all about cyber resilience, as for many big businesses, the question is not whether a cyber incident might occur – it’s simply a matter of when.
*As per Privacyrights Clearinghouse (www.privacyrights.org).
Legal disclaimer. The information in this publication was compiled from sources believed to be reliable for informational purposes only. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult independent advisors when developing programs and policies. We undertake no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. Risk engineering services are provided by The Zurich Services Corporation (ZSC). ZSC does not guarantee any particular outcome and there may be conditions on your premises or within your organization, which may not be apparent to us. You are in the best position to understand your business and your organization and to take steps to minimize risk, and we wish to assist you by providing the information and tools to help you assess your changing risk environment. Nothing herein guarantees or implies insurance coverage for any particular claim or loss.
Cyber Security & Privacy Liability Solutions
Regional Risks of Doing Business (pdf)