As we are all aware by now, data breaches are a fact of life for most businesses – and in particular for businesses that collect or engage private customer data within an internal electronic network. The annual Ponemon Cost of Data Breach Study: Global Analysis report provides indisputable evidence that cybercrime is a permanent risk organizations need to be prepared to manage.[1] In particular, highly regulated industries (i.e., financial services and healthcare) have the most costly data breaches because of fines and the higher-than-average rate of lost business and customers.
While improvements in data governance are showing promise in reducing the cost of data breaches, it’s also up to businesses to take the initiative to control the occurrence and liability of cybercrime.
Despite measures to prevent data breaches, total protection is a virtual impossibility. For that reason, mitigation and recovery efforts should be high on the priority list. Cyber insurance is gaining traction as a reliable way to contain the costs of a cyberattack and/or data breach. For banks, these policies cover liability for a data breach in which the customers' personal information has been exposed or stolen by a criminal who has penetrated the firm's electronic network.
Policies can cover a variety of the expenses associated with data breaches as well as liabilities coming from issues like business interruption, data loss, computer fraud, funds transfer loss, and cyber extortion. Our HORNE Cyber team is asked frequently about the most important considerations in purchasing a policy.
Understanding what needs to be covered and quantifying the risks of loss associated with cyber insurance policies can be difficult. The answers are individual to each business and often are complex. We have pulled together some of the most widely discussed topics here in an effort to provide you with a good starting point for considering what kind of cyber insurance policy would benefit your bank most, and we encourage you to reach out to our team for more information specific to your organization’s most pressing needs.
Retroactive Coverage
It takes an organization an average of 256 days to identify a cyberattack. The longer it takes to discover an attack, the more costly it is to recover. By implementing Advanced Penetration Testing you can lower this risk and potentially identify previous breaches or attempts at attacking the network. This process can help to reduce the need to make retroactive claims, but it’s important to ask for retroactive coverage when first signing a contract.
Vendor Liability
The high profile 2013 Target breach opened organizations’ eyes to the importance of vendor management. Get coverage for claims resulting from your vendors. And particularly for banks, which handle sensitive customer data, it’s imperative that your liability to them is covered.
Internal Risk
More and more, cyber risk comes from “inside the house.” Include coverage for any loss of data due to employees or others who could unintentionally contribute to a data breach or loss.
Physical Systems
Remember that your cybersecurity is not contained to your server and PC environment. It crosses into nearly every physical asset – any door locks, security cameras, phone systems, HVAC, and control systems linked to your network are accessible and exploitable. This is an area of complexity because the lines between physical and cyber insurance products can become blurred. Make sure to clarify whether a cyberattack on your physical systems constitutes an additional breach.
Ways to Lower the Cost
Because cyber risk is so difficult to quantify, these policies tend to be highly customized and therefore more costly than non-cyber insurance. Clients often ask whether “If we get the Advanced Penetration Test, will our insurer give us a break on our cyber policy?” While the answer historically has been a solid “no,” we are starting to hear “yes” as insurers begin to understand the benefits of this proactive approach to cybersecurity. Ask your insurer for a lower rate after an advanced penetration test is conducted and findings have been remediated.
We’ve seen that a comprehensive cyber plan is no longer just about the loss of data. Cyber policies are an important part of your offense strategy. But they’re expensive and complicated, so you need to make sure they will cover you in the event of a breach. Pay particular attention to exclusions and on the costs you’ll incur if your systems are brought down for an extended period of time.
As a combined team of banking and cyber specialists, we can help you put useful preventative measures like Advanced Penetration Testing in place and to know exactly what questions to ask. It benefits you to get in touch right away to be sure you’re as protected as possible.
Join the conversation and receive updates of new posts:
[1] 2016 Ponemon Cost of Data Breach Study: Global Analysis