Disclaimer: The views and lesson here are mine alone and do not represent my employer, the LEGO Group, or previous coursework taught at Cleveland State University School of Law.
Every organization maintains some level of risk related to its DP&P program. We can’t be perfect (no matter how hard we try), and there will always be a risk that your company’s personal data (and other confidential information) will be compromised.
Whether through a targeted attack, malicious insider, or even an employee error, a cyber security or privacy incident can happen at any time, and one way organizations can mitigate that risk is through maintaining a robust and comprehensive cyber insurance policy.
Cyber insurance products have been around for about 25 years and are a way for organizations to help manage the risk of a personal data breach or other large scale cyber security incident. The scope of coverage can vary greatly depending on the size of the organization and type and amount of data processed, but a strong cyber insurance policy can also be a valuable tool for heads of privacy in managing risk in its DP&P program.
Let’s take a further look.
- Like any insurance product, cyber insurance policies should primarily be viewed as a backstop to protect your organization from a catastrophic event, which for DP&P professionals would likely mean some large-scale data breach or cyber security failure that impacts the processing of personal data.
- Cyber insurance wasn’t always viewed this way though. Ten to fifteen years ago, many organizations, particularly those that may not be large enough to have full time privacy and cyber security teams, would sign a cyber insurance policy for a few million dollars of protection and feel that was enough to protect against any cyber security risk.
- Policies were relatively easy to get at lower dollar amounts (sub $5 million) and the level of diligence by the carriers and underwriters was minimal. Perhaps they would send you a questionnaire asking about your cyber security and DP&P programs and follow that up with a conference call or video meeting, but rarely was there any real validation work.
- This led to a lot of CEOs, CFOs, CIOs, and GCs deciding to underinvest in cyber security and privacy, particularly in mid-market companies, and instead manage their risk with an insurance policy. It wasn’t necessarily that they completely ignored the need to build cyber security and privacy programs and invest in technologies, employees, and controls, but when given the option of spending a few million dollars to add new capabilities through headcount, processes, and technologies or increasing their cyber premium at a fraction of the cost, they chose the latter.
- Of course, this was naïve and unsustainable, and ignored issues of trust and brand equity, and many companies that suffered breaches would tell you this approach was not prudent. During this period there also seemed to be a bit of smoke and mirrors, with organizations trumpeting their cyber security and DP&P programs to receive lower premiums, even when they lacked some of the required capabilities and controls.
- All that started to change about five to seven years ago. Premiums exploded, coverage narrowed, and the level of diligence increased exponentially. Part of this was due to ransomware attacks, which were roiling all types of organizations, but at the same time it appeared the market was finally maturing and realizing the amount of money at stake during an incident.
- Cyber insurance policies are still widely available today, but all those involved in procuring and providing large scale coverage for organizations are doing a lot more due diligence to understand the risk they’re insuring.
- When looking to purchase or renew a cyber insurance policy, be prepared to have detailed meetings to discuss your cyber security and DP&P programs with your broker, carrier, and underwriters. All those involved in insuring your organization will want a comprehensive understanding of how you protect confidential information and personal data, and poking and prodding your programs is commonplace.
- During this process collaboration between all the key internal stakeholders is critical, including the head of risk or insurance (who will usually lead this process), CFO, CDO/CIO, CISO, GC, and CPO. All involved should be on the same page and be prepared to discuss your company’s programs, processes, and controls.
- When negotiating your cyber insurance policy there are a couple of considerations that may save you some time in the event you actually need to use your coverage. Most policies will identify preferred incident response partners, including legal counsel, forensics investigators, crisis communications support, and other third parties to support in data breach notification letters. If your organization has preferred partners for any of these areas, you can often negotiate to have your partners named in the policy instead of deferring to your carrier’s choice.
- Once you have secured a cyber insurance policy, you will likely have an annual renewal period. Every year you’ll need to meet with your broker, carrier, and underwriters to review the status of your cyber security and DP&P programs and provide them updates on significant changes and any new program elements.
- Don’t undervalue the role of relationship management with those that service your cyber insurance policy. Finding people you trust and who understand your business, particularly around the cyber security and DP&P risk, will help you find the right coverage at the best price and can even fight on your behalf (such as insisting you use your preferred lawyers and forensic experts) when you need to use your policy.
- If you run incident response tabletop exercises, you should think about including someone to represent your cyber insurance coverage. It can be extremely valuable to understand how different aspects of your policy will function during an incident, particularly in a low stake, practice situation.
- As mentioned already, a strong cyber insurance policy is an important tool for heads of privacy to mitigate some of the financial risk of a large data breach. But it shouldn’t be overly relied upon or touted internally to employees and executives as a savior. Instead, it’s important to continue developing a robust DP&P program with the understanding that insurance is there when you need it (which I hope is never).
That's it for this week. Next up is third party risk management.
And thank you again to all of you who are continuing to support this course. I greatly enjoy hearing from you and appreciate you sharing this content with others.
Co-creating business value as a professional
2moGood read. Indeed a cyber insurance policy can be an important tool for a DPO who is trying to implement a privacy program. Typically a cyber insurance policy can help to address the following wrt privacy concerns - Data breach liability, Privacy breach liability, Legal fees, Security experts fees, Fines and penalties.