Cyberinsurance Not A Cure-All For Data Breaches

March 16, 2016

Recent news stories have left auto insurance companies keeping a wary eye toward hackers. Cyberthieves can hack into insurance companies’ smartphone apps. Or cybercriminals can even access a car’s computer system through dongle devices used to monitor driving habits.

Unfortunately, a recent survey reveals that cyberinsurance is not a cure-all for problems created by data breaches.

But the report, which was compiled by insurance analytics company Advisen Ltd. and data response firm ID Experts from a survey of 203 risk-management professionals, offers advice for companies seeking cyberinsurance.

Cyberinsurance policies are not a one-size-fits-all solution. The report said cyberinsurance is designed to protect companies in case of “low-frequency but high-severity” attacks affecting thousands of electronic records. But the costs of most data breaches fall below deductibles in many companies’ policies. That may not be a problem for larger companies, but experts say the costs could be significant for smaller companies.

“Cyberinsurance is by no means intended to be a one-size-fits-all solution,” Greg Podolak, head of Saxe Doernberger & Vita’s cyber-risk practice, told Law360.

Companies should negotiate retroactive coverage. The report urges companies to negotiate cyberpolicies with favorable retroactive coverage. That way the company is covered in case it suffered an undetected breach before obtaining the policy.

“The report alludes to the fact that some policyholders are breached before they even know it,” Anderson Kill shareholder Joshua Gold told Law360.

Be aware of coverage gaps. Companies could still be responsible for part of the bill, even if the data breach was serious enough to trigger cyberinsurance coverage, according to the report. Company losses could follow under common exclusions included in cyberpolicies. Such exclusions may include lost business or profits as a result of bad press following a data breach.

Some insurance companies such as AIG are beginning to specialize in difference in conditions (DIC) insurance to cover policy gaps. “That type of DIC policy basically sits over traditional property insurance,” K&L Gates partner Roberta Anderson told Law360.

An even newer emerging market is insurance covering a company’s reputational harm following a data breach.

The IT department shouldn’t tackle a data breach alone. The report said 60 percent of the companies surveyed said their IT departments act alone in handling data breaches. But Podolak said a response should be multidisciplinary: “It’s not just an IT problem.”

The report urges using breach-response vendors to manage forensic analysis, notification about the data breach and public relations. “That will help the company mitigate its overall exposure and harm to their brand and reputation,” Anderson added.

Click here to view full article.