As retail technology continues to evolve, a growing focus is placed on digital protection and data security issues. In response, LP Magazine is introducing our newest digital column, bringing you the industry’s top data security experts to discuss the latest in industry news and information. This week features insights from Wendi Whitmore Rafferty, vice president of CrowdStrike Services.
Cyber Insurance in a New Age of Liability
In the wake of the Target data breach and the age of cyber-everything, many companies—and especially those within the retail industry—are rightly considering whether or not cyber insurance is a worthwhile investment. This discussion will focus on a number of the key variables your organization should consider when researching and negotiating a cyber liability insurance policy.
Like any burgeoning enterprise, the cyber liability insurance industry is not without its challenges. The market is dynamic, with new vendors entering weekly. Given the field’s growth, it lacks the decades of actuarial data that more mature offerings such as traditional liability insurance maintain. This creates a dynamic environment in which premiums vary greatly between providers, and exclusions frequently change.
While a cyber insurance policy should not be used as a catch-all to avoid critical investments in a security team and technology, it can certainly be used to offset the large cost of a data breach response and recovery. One of the benefits of maintaining a policy includes the use of the insurance company’s resources. These resources can include specialized lawyers to determine disclosure requirements and help fight class-action lawsuits; specialized security personnel to investigate and advise regarding protections before breaches and perform incident response after breaches; and credit monitoring resources to help affected consumers after a breach. In many cases, the insurance companies have negotiated rates for specialized incident response and crisis management services. These discounts alone can save an organization hundreds of thousands of dollars.
That said, there are some basics that all retail organizations should be aware of prior to selecting a cyber insurance policy. First and foremost, due to the liability incurred with processing payment card industry (PCI) data, standard policies for retailers should cover both first-party expenses and third-party liability expenses.
Basic first-party coverage items include:
- Expenses related to a cyber investigation
- Extortion claims due to data theft
- Monetary theft and/or fraudulent monetary transactions
- System loss and restoration
The basic third-party coverage items include:
- Litigation expenses
- Regulatory response costs
- Notification costs
- Credit monitoring services
- Crisis management
Some policies cover business interruption costs as part of their first-party coverage, but in the wake of recent large scale data breaches, this is becoming harder to define and, in the event of a breach, to receive reimbursement.
The caveat, of course, is that insurance providers are still in the business of making money; and the likelihood of retailers being targets of a data breach is high. Given this paradigm there are actions organizations should consider to ensure they receive the highest return on the investment of their coverage:
- Be aware that all breach-related communications are of interest to the insurer and ensure that all of those communications, from the onset of the incident, are covered under attorney client privilege.
- Evaluate a variety of providers and compare policies before making a choice.
- Ensure that someone within your organization who is familiar with cyber breaches reviews the policy in detail. If necessary, involve your outside counsel in the negotiation process.
Additionally, retailers should be aware of policy exclusions and negotiate coverage for some of the most common. These include ensuring the policy covers both third-party liability as well first-party expenses, that the plan includes coverage for retroactive breach dates, that the policy has no carve-outs for foreign enemy or terrorist acts, and that the policy extends coverage to subsequent lawsuits stemming from the original breach.
Because networked technology implementations are a mainstay within retail operations of all sizes, thieves will continue to find ways to compromise their security in the interest of monetary gain. The implementation of cyber liability insurance is one way to offset risk and ensure you are fiscally prepared if an incident occurs.
About the Author
As the Vice President of CrowdStrike Services, Wendi Whitmore Rafferty has more than 12 years experience in the computer security industry, primarily responding to critical security breaches within commercial and government organizations. Previously, Wendi spent six years consulting with Mandiant, leaving as a Managing Director. She began her career as an Officer & Special Agent in the U.S. Air Force Office of Special Investigations. She has a Bachelor’s in Computer Science and Political Science from the University of San Diego, and a Master’s in Management Information Systems from Webster University.