Cyber risk insurance held by few U.S. firms, creating vulnerabilities

PHILADELPHIA—While only a fraction of U.S.-based companies have cyber risk or network security insurance, covering financial losses associated with a cyber-security breach does not mitigate the risk of a breach itself, data protection experts warn.

Roughly three-quarters of U.S.-based companies do not have cyber risk or network security insurance, citing confidence in their own internal controls or a general disbelief in their exposure for forgoing the coverage, according to a recent study by New York-based Towers Watson & Co.

Conversely, companies that do purchase the coverage—particularly small and midsize firms, experts said—tend to assume that the insurance relieves them of having to develop data protection protocols and breach preparation strategies (see related story).

“It's one of the most common misconceptions that we see in this space,” Larissa Crum, executive vp at Claysburg, Pa.-based Immersion Ltd., said during the 2012 NetDiligence Cyber Risk and Liability Forum, held June 4-5 in Philadelphia. “Mitigating the risk is really all about preparation, while purchasing cyber insurance is really only about transferring the cost of the risk. They're not mutually exclusive.”

To substantively reduce their exposure to data breaches, companies must adopt a shared responsibility for cyber security procedures and breach response planning across multiple corporate disciplines, including risk management, information technology, legal counsel, outside consultants and senior company leaders. Above all, the experts said, those preparations must be made before a breach if they are to be of any real value.

%%BREAK%%

“If you're trying to back into the preparation strategy once an event has begun, you're not going to be thinking clearly and there's a whole slew of things that can go wrong,” said Christopher Novak, a managing principal at New York-based Verizon Business, a division of Verizon Communications Inc. “We stress to folks the importance of getting these things moving before a breach event begins, because it can really go a long way toward mitigating your losses and liability.”

One crucial piece of effective cyber risk mitigation that mid-market companies often overlook is developing and regularly testing a crisis response plan. Generally, companies should identify ahead of time key internal personnel best suited to separately address the issues that typically arise during a cyber-related crisis, experts said.

Risk management leaders and general counsel can focus on coverage-related matters such as cross-policy response and claims processing, while IT managers and internal auditors can focus on determining the source and extent of the breach itself.

Companies also should designate personnel to handle media inquiries and public statements, provider interactions and notification responsibilities for affected customers, including continuous maintenance of a dedicated contact list to notify customers, suppliers and others.

External points of contact also can be of vital importance when a data breach does occur. Crisis response planning typically should include regular communication with providers and business partners to address continuity issues, as well as local and federal law enforcement, outside legal counsel, public relations firms and forensic investigators.

%%BREAK%%

“In the event of a crisis, you don't want to find yourself stumbling to get hold of a vendor, get a press release together or fighting amongst leadership to determine who's going to answer media questions,” said Richard Pcihoda, director of risk management at Philadelphia-based PREIT Services L.L.C. “It's important to have an internal and external team that's ready to go, and those teams need to have a written plan.”

As robust as a mid-market company's data breach response plan may be on paper, only thorough and frequent testing of that plan will indicate its real value. Routinely conducting tabletop rehearsals or simulated breach events can minimize complications during an actual crisis by exposing outdated lines of contact, lagging incident response times and other weaknesses in the overall planning, experts said.

“Walk through the scenarios and make sure you have some senior executives to emphasize that it's important,” said Keith Morales, information security officer for the Federal Reserve Bank of Philadelphia. “It may not be perfect and you may get it wrong, but at least your company will know who the key players are and will have some measure of response.”

Also commonly overlooked, especially at the mid-market level, is how a company's employees influence its data protection efforts. According to a study by Philadelphia-based NetDiligence, the marketing arm of Network Standard Corp., on cyber liability claims, more than one-quarter of the data breach claims analyzed were attributable to lost equipment and other employee errors. Experts said training employees—particularly anyone who regularly transports data or equipment offsite—is a low-cost method to reduce the risk of data security failures.

%%BREAK%%

“Without that kind of fundamental awareness among the entire staff, the risks that they expose themselves and the company to run the full gamut,” said Oliver Brew, vp of professional liability at Boston-based Liberty Mutual Underwriters Inc. “It's not just the IT staff that needs to worry about data security; it's every employee's responsibility to manage any data that they're handling. It's a cultural issue that should be led from senior management all the way down to the general workforce.”

One tactic experts suggested to enhance employees' efforts to avoid cyber risks is incorporating adherence to company data protection policies in performance reviews, at least for key personnel if not all employees.

“Identify within your company who could cause the biggest problem or loss event if something goes wrong with their equipment or if something is lost,” said Rebecca Cady, director of risk management at the Washington-based Children's National Medical Center. “Make sure that those individuals' bosses are looking at whether they're being diligent in protecting their data.”

PLUS: Get more information about important Cyber Risk issues impacting your business in our new white paper, "Data Protection: What risk professionals need to know about cyber risk management."