As cyber-attacks continue to grow in complexity and frequency, the need for a comprehensive data protection strategy is essential, but it may not be enough. Consider that:
- 73% of companies are not adequately prepared to face a cyberattack.
- 65% of C-suite executives believe their cybersecurity strategy is well-positioned, but just 17% of these strategies are considered at the highest level.
Even when organizations have such a plan, they can face significant losses if a breach occurs. For example, the California Consumer Privacy Act (CCPA) enforces protection of consumer data and can impose civil penalties of up to $7,500 per violation in the case of a breach. The average cost of cybersecurity incidents caused by company insiders is $8.76 million.
As part of a sound framework of assessments, training, policies, and procedures, it is important to also consider investing in a cyber insurance policy. These policies further protect your credit union in a worst-case scenario and can help protect against financial losses, defend litigation, invest in forensics, and other unforeseen actions and expenses.
Here are four questions to ask a provider when evaluating a cyber insurance policy:
- Does the policy include both first-party and third-party coverage?
Not all cyber policies are equal in terms of the damages covered. If the policy offers first-party coverage, it will typically cover your credit union against direct losses due to a breach, such as business interruption, notifying customers of the breach, consulting services to address the breach. Third-party insurance will typically cover defense costs and other expenses as a result of customers’ damage claims. A credit union, which is responsible for both its own data as well as sensitive customer data, should have both types of coverage.
- What are the limitations and requirements of the policy?
Cyber policies are subject to limitations and requirements. In addition to coverage thresholds, which will limit how much the insurance company will pay because of a breach, coverage may be subject to various requirements. For example, your credit union may need to adopt certain security protocols to do your part in keeping data safe. If those protocols are not in place or ignored, you may find that coverage levels are affected. Be sure you discuss the requirements and limitations of the policy in full with your insurance broker.
- What is your approach to emerging threats?
With the emerging innovations like artificial intelligence and machine learning, these technologies give cybercriminals more tools and opportunities. Discuss your insurer’s approach to emerging threats and how they communicate the risks and mitigation strategies to policyholders.
- How will you keep us informed of the latest threats and best practices?
Look for an insurance provider that has ample resources to help you learn about cybersecurity threats and best practices. Some have support materials to help educate employees about how to protect credit union data. Take advantage of any advisory, information, or other cybersecurity support services the insurer provides to help protect your institution.
Cyber insurance can play an important role in your risk management program by providing a resource for risk-prevention measures as well as coverage if a breach does occur. Be sure you understand the difference between first- and third-party coverage, as well as the specific coverage areas and support your policy provides.
1 Hiscox, Hiscox Cyber Readiness Report 2018, 2018.
2 IBM, Securing the C-Suite: Cybersecurity Perspectives from the Boardroom and C-Suite, 2018.
3 Ponemon Institute, 2018 Cost of Insider Threats: Global Organizations, 2018.