In the wake of some recent high-profile data breaches, the importance of breach preparedness programs and cyber liability insurance is coming into sharp focus as a way for companies to protect themselves from costly security failures.
“There’s no question that cyber liability insurance lessens the financial pain associated with the rising costs of cyber risk should an event occur, but organizations need to realize that they can reduce their overall risk, which can correlate to cost containment if they follow through with simple preparations,” said Brian Lapidus, COO for Nashville,Tenn.-based Kroll Fraud Solutions.
“Most policies only cover a portion of response costs, which makes planning for breach response activities – from notification to forensics – even more critical. And even if you don’t carry a policy, you can still benefit from this type of planning, placing you in a better position for when this occurs,” continued Lapidus.
Lapidus offers these four tips for preparing for a data breach:
Utilize an ongoing breach preparedness program. Typically, any carrier will require some type of risk assessment before a policy can be written. But most policies also include conditions related to the ongoing security controls that a company employs – and, of course, a failure to meet those conditions could result in loss of coverage. In this case, breach preparedness programs can be a valuable asset. Be sure yours includes in-depth risk assessment, incident response plan assistance and ongoing data security controls.
Engage outside counsel for advice on regulatory requirements. Privacy law is an ever-changing and relatively young discipline, and it’s difficult to navigate the risks related to legal or regulatory issues. It is advisable to seek the advice of a third party expert on the potential costs related to litigation fees, regulatory fines and e-discovery before a policy is in place. After all, going to court isn’t cheap. If you’re hoping that insurance will cover you when it comes to legal costs, it’s important to know what your legal obligations are when it comes to a breach and the potential costs they carry.
Plan to conduct a forensic investigation. Look for a policy that will cover expenses related to data forensics. This is a key component to determining whether a breach has occurred, how it occurred, whether it is ongoing and the scope of the incident. An investigation ensures proper discovery protocols are in place to collect and preserve evidence in the event an audit or lawsuit develops.
Employ delivery optimization techniques to cut your notification costs. Whether you have a cyber policy or not, there are definite opportunities for cost savings related to breach notification. For instance, utilizing a mailing list that’s inaccurate, out-of-date or incomplete can make notification a time-consuming and costly endeavor. Cleaning up your mailing list to eliminate duplicates and ensure addresses are accurate will not only optimize your delivery, it will ensure you’ve demonstrated best efforts to provide all those affected with a timely notification.