Risk assessments can help determine cyber insurance needs

Firms considering cyber coverage should begin by assessing their risks and perils and considering whether these are already covered or excluded by other policies, says a report issued Thursday by the Risk & Insurance Management Society Inc.

A company, for instance, that handles or stores significant amounts of third-party, personally identifiable information should consider coverage that includes both security and privacy liability as well as regulatory actions such as fines, says the RIMS Professional Report, “Cyber Insurance Considerations for Businesses.”

It was written by Teri Cotton Santos, senior vice president and chief compliance and risk officer at The Warranty Group Inc., based in Chicago, who is a member of the RIMS External Affairs Committee.

When evaluating cyber coverage, firms should also consider whether the policy covers a third parties’ acts of omissions, which is particularly pertinent for companies that rely on outsourced vendors to manage their data, says the report.

In addition, policyholders should consider language related to shortcomings in the insured’s security, “which can be subjective and therefore should be avoided,” says the report.  Some policies exclude acts of terrorism, it adds.

The report says insurers are also increasingly offering risk control packages to reduce cyber risk, which may include employee educational tools, limited legal consultations, crisis management plans and technical support offered by security vendors.