Any organisation that holds data is at risk of a breach. This risk compounds when organisations hold sensitive data such as PII (personally identifiable information). Since data breaches have the potential for catastrophic financial and reputational damages depending on their severity, cyber insurance is fast becoming a C-suite imperative to provide a safety net from financial loss.
But simply having cyber insurance is not a free pass. There is the question of accountability and obligation. Knowing how providers calculate costs of coverage can help you make sure you are not only getting the best premium, with the highest chance of frictionless pay out if an issue occurs, but actually getting paid at all in the event of a breach. This is why tightening your data governance controls to meet the expectations of cyber insurers, particularly relating to data minimisation, can help you get the best insurance outcomes. Here is what you need to know.
What does cyber insurance cover?
A study in 2019 reviewed cyber insurance policies in the United States, which covered both first-party losses (damage or loss to your own data and systems from a breach) and third-party losses (incurred as a result of litigation from your clients, customers, or partners, after your breach causes a loss or damage to them). The review found that policies tended to differentiate between the breach types of: data compromise and identity recovery; system damage and disruption; and extortion (such as ransomware). The top three types of losses covered are, in order of prevalence: expenses and penalties from claims; public relations services; and notifications and services to affected individuals. These all relate to data compromise, and specifically PII breach. Losses for system damage and extortion are less commonly covered.
In summary, your cyber insurance is most likely to focus on PII breach, and the cost of remedying that breach with affected stakeholders. Anything else is a nice-to-have!
It is also important to note that many policies in the study excluded coverage at all in the case of criminal or fraudulent acts, or negligent disregard for security. Many policies also exclude loss of your trade secrets or IP. This means that you cannot transfer the risk of your staff mishandling PII and other secrets to the insurer. You must use other controls, internally, to manage both the likelihood and the impact of this risk.
How do providers price insurance?
It follows that premium pricing focuses very much on the amount and type of PII you hold, and how you protect it.
Cyber insurance providers tend to be opaque about how they assess cyber risk, and how they subsequently decide to cover you (and how much they charge). But the same 2019 study also found that in the ‘security questionnaires’ that potential policyholders have to complete, the sections capturing types of sensitive data held, and protections applied to it, tend to be significantly more extensive than other sections such as technology landscape and governance.
The study found that organisations holding large amounts of PII (identifying information), PCI (financial information), or PHI (health information), for example are considered ‘high hazard’ and, therefore, usually attract a higher premium.
How can you get the best premium?
Information and data management is a key factor in determining your underwriting risk. Cyber insurance policy is most likely to include PII breach compared to other breach types, and pay outs are most likely to be made for PII breach remediation. Costing your policy is most likely to be based on the amount of PII you hold, and how you protect it. The study found that, when it comes to assessing your information and data management, ‘the most common question in this category was whether a data retention and destruction policy existed.’
Overall, the larger your organisaton is, the more you are likely to pay. In order to get the best coverage, for the best premium price, you must get your house in order.
Here are some of the ways to do that:
- Have a data retention and destruction policy for your PII
- Minimise the amount of PII you hold, and know how long you are required to store it by law
- Track all user activity on PII — because your insurance probably won’t cover deliberate or negligent breach by your staff
- Identify, track, and minimise your other confidential data — because again, your policy probably won’t cover its loss or spill
- Take as many precautions to avoid a breach as you can. Be proactive and take steps to meet your data obligations. Not just because it will cause harm in not doing so, but because your premiums will almost certainly go up (the ‘prior acts’ factor)
What next steps can you take?
Your organisation is likely to have PII and other sensitive information stored, which needs to be insured. But knowing where it is across the whole enterprise, who is doing what to it at any given time, and how long you have to keep it under law is an impossible task without effective technology.
Castlepoint registers every document, email, and database row in the enterprise, and automatically detects and reports on sensitive content (including trade secrets and other high-risk data, not just PII, PCI, and PHI). It captures events and alerts on suspicious activities on that data, and, vitally, automatically determines how long it needs to be retained under law. This means you can dispose of high-risk information that no longer has value as soon as it comes due for destruction, significantly reducing your risk (and, as a result, your premiums).
Having an explainable, easy-to-use Artificial Intelligence solution in place, as used by Tier 1 government and corporate clients around the world, can materially change your risk profile in the eyes of your insurers and help you get the best value from your cyber insurance policies. Contact our team to find out how we can help reduce your risk and spend for cyber and privacy breaches.
You may also be interested in our PII discovery case study
Categorised
Compliance General Records Management Risk Management Security