Every organization — for-profit, not-for-profit and government — needs to have insurance of some kind, just as LaPorte County government recently discovered when its emails were disabled by a virus.
You can find the report in The Times from June 12. The point is that everyone needs to be trained and educated in the risks that an Internet-dependent world faces, and every organization needs to minimize that risk as much as possible.
How to do this and to what extent is determined by a great many variables.
As we begin, let’s discuss two terms you should become very familiar with: data breach insurance and cyber insurance. Most insurance companies have their own spin on the definition of each. In the details, it may seem like distinctions without much of a difference, but look to data breach insurance coverage when your laptop is stolen, if you have mostly paper records or are a heavy user of mobile devices.
If you are hit with ransomware or hacked another way through the Internet, that is usually covered by cyber insurance. Either way, you will probably want coverage appropriate to your costs. Ponemon Institute, a great resource for cybercrime/cyber insurance, estimates the costs of being hacked or a data breach to be between $200 and $400 per record.
Certain industries, such as health care, are at the high end, while companies that do not rely on the Internet are more to the low end of risk. Everyone else falls somewhere in between.
There’s a lot that goes into making the decision as to how much insurance is needed, and I encourage every organization to have a serious conversation with your insurance agent to reach a decision.
Do you already have general liability insurance? Many companies include a small amount of coverage, say $10,000, in their general policy, but not all do this.
Do you have minimal paper records, no accounting software or any software that records information about your company, its intellectual property, employees or customers and use a single desktop that never leaves your locked office or connects to the Internet? If you can answer yes to all of that, perhaps you can get by with $10,000 coverage, but I encourage you to crunch the numbers and seek counsel from your trusty insurance agent.
If you are in the legal, financial or health care industries, know that your records are virtual gold mines for identity thieves and cyber criminals. If you are an attorney, accountant or physician, think of the data you have on each of your clients and patients. Sheriff and police departments also are hot targets for data thieves for the same reason.
If you have general liability insurance, review your policy and be sure you understand under what conditions the insurance company will or will not pay.
If you take reasonable steps to protect your data, do not expect the insurance company to pay just because a cybercriminal found you.
Also know the difference between first-party and third-party coverage. If a terminated employee steals a laptop on the way out the door, are you covered? If an employee clicks on the wrong email and installs a virus that encrypts your entire network, are you covered? What about the time you are down? What about the loss of clients? If your customers, whose information is stolen, litigate or you are penalized under compliance regulations, are you protected?
Will the policy you are considering protect your information on unencrypted devices? For instance, if your mobile phone or laptop is stolen and it isn’t encrypted, are you protected?
What security controls must you put into place to meet policy requirements? Which ones will earn you a discount on your premium?
Just like the good driver discounts we see advertised, some companies offer discounts for each year there is no claim. Does yours?
Understand the exclusions because it may not be possible for you meet the requirements to have a claim paid. If that is the case, it's time to shop around.