In a recent survey from Deloitte University Press, 64.9% of participants said news of cyber-related losses experienced by others was the biggest driver of cyber liability insurance sales.1 But why does it take another company losing millions of dollars for small and mid-size businesses to take note of their own exposures?
As an AmTrust producer, your experience and expertise is invaluable to your clients. Every time you offer advice on limiting exposure, you have a direct hand in data breach prevention. Here are 3 tips for identifying your client’s potential for cyber exposure you can use with your clients in 2018.
Tip # 1: Learn the 5 Most Common Cyber Risk Exposures
The total breach cost for claims submitted from 2014 to 2017 was $202M, according to a recent study from NetDiligence®.2 Much of this cost can be attributed to five common (and preventable) cyber risk exposures.
As of April 2016, 47 U.S. states, as well as the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, have enacted legislation concerning the notification of individuals who have had their personally-identifiable information (PII) compromised due to a security breach. Notifying the proper authorities when a data or privacy breach occurs can be costly but necessary for avoiding litigation. In fact, according to the 2017 Cyber Claims Study, the maximum notification costs increased 176% from 2016 to 2017, up to $5.53M, and the average notification cost increased by 39%.
Consequences of Noncompliance
Unfortunately, the hard costs to respond to and recover from a data breach often cause businesses to close their doors. AmTrust producers can help prevent this by helping clients to understand the effects of noncompliance before it occurs. As an example, the Gaming & Casino sector, which is highly regulated, incurred the highest forensics costs in 2017 averaging $345K, as well as the highest median breach cost of $190K.
Physical Data Security
Every client has data that needs to be protected, whether that’s employee data like social security and account numbers, confidential and proprietary corporate business information (e.g. potential patents), or customer data like financials and personal information. This data, whether stored physically or digitally, should be secure at all times. Physical security is another information security exposure that can compromise your client’s data.
Increased Legislation Related to Cyber Exposures
Depending on your clients’ industries, they could be regulated more heavily than ever before. For example, the New York State Department of Financial Services (DFS) has enacted legislation to protect customer information held by banks, insurance companies, and other financial services institutions regulated by the DFS.3 Entities that are subject to the legislation must have a written policy approved by a senior officer or the board, as well as a Chief Information Security Officer. We anticipate that other states will enact similar statutes. Not following the local data and information security statutes could have disastrous effects for your clients.
Loss of Reputation and Customers
A data breach is one the biggest exposures that a business faces since it affects the profitability of the business. In particular, a publicized data breach can result in a loss of customers and leave the business mitigating the damage to their reputation. Further, the loss of customers can increase the cost of a data breach. Industries with the highest churn are health, pharmaceuticals, and financial services.4 Many companies do not have a plan in place to address a data breach.
Tip #2: Help Your Clients Minimize Cyber Risk
One of the best ways for your clients to guard against cyber exposure is to make sure there aren’t any cyber exposures undefended. To do that, we recommend regularly completing a Cyber Security Risk Assessment. During this analysis of the client’s cyber risks, consider the following:
All employees should be trained on the importance and methods of data security. Both physical and digital records should be safeguarded at all times, and confidential information about clients, employees, or corporate affairs should always remain secured.
Old data should be properly archived or deleted based on local and federal laws, and company policies. A data breach can result in malpractice and could lead to litigation.
All data, whether on a personal device, computer, or server should be protected by proper encryption. Companies in many states can benefit from safe harbor exemptions that only apply if the company can prove the data was encrypted before a breach.
Data Prevention Preparation
While having a good procedure in place is a great way to prepare for a cyber security breach, an untested procedure could have many flaws. Practicing the breach plan offers the opportunity to uncover and plug any holes in the plan before there’s an actual data breach.
1PartnerRe in collaboration with Advisen, “Cyber liability insurance market trends: Survey,” October 2016, Deloitte University Press.
2NetDilligence® 2017 Cyber Claims Study – eRiskHub® Exclusive Expanded Edition, Version 1.3
4Cost of Data Breach Study: Global Study, Ponemon Institute, May 2015