When a burglar breaks into your home, insurance is there to help you bear the financial burden of your loss. Likewise, when your car gets stolen, insurance helps mitigate the cost to replace it.
But when it comes to your business, are you properly insured?
To this point many businesses have grown accustomed to purchasing insurance policies like the ones mentioned above – policies involving their commercial property, business interruption, or even professional indemnity. While those policies help protect their financial interest in many areas, they do not cover a majority of the disasters that arise in the current digital age, specifically data breaches and non-compliance under the new GDPR.
Data breaches are already reaching all-time highs this year (2,227 publicly disclosed data breaches with more than 6 billion records exposed in 1H 2017) and the UK Government estimates that the average cost of a cyber-security breach is £600k-£1.15m for large businesses and £65k-115k for SMEs. This is irrespective of the fines and sanctions under the new GDPR, which will surely add to those costs.
With that being said, it will be imperative for any organization that deals with corporate and customer data to be able to protect themselves financially in the event of a breach.
The good news is that cyber insurance firms are offering new policies to help organisations protect themselves from the financial implications of a breach. These new specialised cyber insurance policies can cover the losses relating to damage to, or loss of information from, IT systems and networks.
Ahead of the new GDPR, which is just a little over 9 months away, we’ve been speaking with some of the leading insurers and brokers currently covering these new cyber insurance policies. Both sides agree that data breach and non-compliance are very serious concerns and with the right policy in place the financial impact can be mitigated so that businesses are not crippled, or worse, forced to close up shop.
Being that this is a bit of uncharted territory, there have been some difficulties for both sides when creating the policies.
I had a chance to chat with Tom Draper, Technology & Cyber Practice Leader at international broker and underwriter Arthur J. Gallagher, about the struggles both customers and providers are having. He had this to say:
“With the GDPR fast approaching we are seeing an influx of potential clients who are concerned not only about breaches, but about their vulnerability under new regulations involving things like customer data requests. As with any other type of insurance, providers need to know exactly what data they are insuring, where it lives, and how it is protected.
“This is where the real problem starts for most clients as many of them do not know exactly what data they have, and more importantly, where to even find it. Therefore organisations will need to make data analysis and classification a primary initiative when preparing for the GDPR, especially when looking to secure coverage from any cyber insurance provider.”
Tom and his brokerage are one of many very helpful resources we have worked with to better understand how we can help our customers get more protection ahead of the new GDPR. Although we have not discovered an insurance policy that will provide payouts for GDPR transgressions themselves at this point, purchasing the right insurance policies will significantly reduce your overall financial vulnerability.
Many policies that are currently available are customizable and they generally all include significant assistance with and management of any incident that may arise, which can be essential when faced with reputational damage or regulatory enforcement. Policies are generally available for SMEs with cover limits between £100k and £5 million, although significantly higher amounts of coverage are available for firms facing more complex cyber risks.
Echoing Tom’s sentiments, I highly advise that one of the first steps you should take when looking into cyber insurance is to analyze all of your data and classify it so both you, and your insurance broker, know exactly what you are dealing with. If your organisation has a large volume of highly sensitive data you will clearly want to invest in a more comprehensive cyber insurance policy, and vice versa.
Secondarily, I would advise that you evaluate data management and governance solutions that can provide real-time insights and alerts about the movement of your organisation’s data. Deploying one of these solutions will not only make protecting your data easier, it will make your organisation more insurable in the eyes of providers. Some early conversations with brokers have suggested that there may even be discounts available for clients who deploy these types of solutions in the future.
Given the complexities, ever-changing threats, and limited historic data that exists around cyber security, it is worthwhile to be as proactive as possible. Uncertainty generally results in higher premiums, and the cost of cyber insurance can be as much as three times higher than more established liability risks. The more detail you can provide about your data and the more protection you can put in place, the more comfortable underwriters will feel about insuring your organisation.
Creative Commons Photo Credit: Source