We’ve been busy at our little firm lately dealing with breaches of security safeguards. Some of these cases are minor, involving less sensitive information and affecting only a small number of people. Others are more complex involving large amounts of information, bad actors and complex IT forensic investigations. There’s definitely not a one-size-fits-all approach to data breach work.
Some of our clients have insurance for these incidents, while others do not. What about you and your organization? Do you have some sort of insurance policy that would kick in if you experienced a breach of security safeguards? If you don’t, why not? If you do, does it give you peace of mind commensurate with the premium you’re paying?
I’m not an expert in cybersecurity insurance policies, but my business partner, Tim Banks, brainstormed with me to come up with a list of things to think about when shopping for this type of policy. Off the top:
- Does it offer first-party and third-party coverage? In our experience, nearly all the policies we see offer both, but you may still want to be sure.
- Is the service provided by the insurance company a "one-stop shop"? In other words, do they provide access to designated lawyers, crisis communications, forensic IT firms, credit monitoring, etcetera, or do you build your own team and get reimbursed? Again, there is no one-size-fits-all or right answer, but you should think about what your preference is and why. One of the things to consider is how advanced your own cybersecurity incident response plan is.
- Are state-sponsored attacks included?
- What are the restrictions on ransom/extortion payments?
- Are regulatory fines included?
- Is credit monitoring/identity theft coverage available? Are there limits on its availability like, for example, if it is only available when legally required?
- Is there business interruption coverage?
- Does it include your data when stored and processed by a third party?
- How extensive is the coverage for replacing equipment — what if you have to replace 1,000 laptops or 200 servers? What about the person-power costs of re-imaging machines?
I’m sure there are many other considerations, as well, and if you have thoughts on this, I’d be curious to hear from you.
OK, now that you’re thinking of insurance, do the one thing that will help you stay on top of developments and thus reduce your risk of exposure: Be informed, and read the rest of the digest.
Cheers, and have a great weekend.