GDPR: Should Your Organization Purchase Cyber Insurance?

With data breaches at a record high and the average cost of a cyber-security breach costing upwards of £1.15m, is it about time your business got insurance?When a burglar breaks into your home, insurance is there to help you bear the financial burden of your loss. Likewise, when your car gets stolen, insurance helps mitigate the cost to replace it.But when it comes to your business, are you properly insured?[caption id="attachment_9362" align="alignright" width="186"]

Kris Lahiri, Chief Security Officer, Egnyte.[/caption]Data breaches are already reaching all-time highs this year (2,227 publicly disclosed data breaches with more than 6 billion records exposed in 1H 2017) and the UK Government estimates that the average cost of a cyber-security breach is £600k-£1.15m for large businesses and £65k-115k for SMEs. This is irrespective of the fines and sanctions under the new GDPR, which will surely add to those costs. Many businesses have grown accustomed to purchasing insurance policies like the ones mentioned above – policies involving their commercial property, business interruption, or even professional indemnity. While those policies help protect their financial interest in many areas, they do not cover a majority of the disasters that arise in the current digital age– specifically data breaches and noncompliance under the new GDPR.That said, it is imperative for any organization dealing with corporate and customer data to be able to protect itself financially in the event of a breach.The good news is that cyber insurance firms are offering new policies to help organisations protect themselves from the financial implications of a breach. These new specialised cyber insurance policies can cover the losses relating to damage to, or loss of information from, IT systems and networks.The GDPR, is just over 9 months away and we’ve been speaking with leading insurers and brokers currently covering these new cyber insurance policies. Both sides agree that data breach and non-compliance are very serious concerns and with the right policy in place the financial impact can be mitigated so that businesses are not crippled, or worse, forced to close up shop.

Read more: The Ultimate GDPR Checklist: 8 Things Everyone Needs to Do Before May 2018

Being that this is a bit of uncharted territory, there have been some difficulties for both sides when creating the policies.I had a chance to chat with Tom Draper, Technology & Cyber Practice Leader at international broker and underwriter Arthur J. Gallagher, about the struggles both customers and providers are having. He had this to say:“With the GDPR fast approaching we are seeing an influx of potential clients who are concerned not only about breaches, but about their vulnerability under new regulations involving things like customer data requests. As with any other type of insurance, providers need to know exactly what data they are insuring, where it lives, and how it is protected.“This is where the real problem starts for most clients as many of them do not know exactly what data they have, and more importantly, where to even find it. Therefore organisations will need to make data analysis and classification a primary initiative when preparing for the GDPR, especially when looking to secure coverage from any cyber insurance provider.”Tom and his brokerage are one of many very helpful resources we have worked with to better understand how we can help our customers get more protection ahead of the new GDPR. Although we have not discovered an insurance policy that will provide payouts for GDPR transgressions themselves at this point, purchasing the right insurance policies will significantly reduce your overall financial vulnerability.Many policies that are currently available are customizable and they generally all include significant assistance with and management of any incident that may arise, which can be essential when faced with reputational damage or regulatory enforcement. Policies are generally available for SMEs with cover limits between £100k and £5 million, although significantly higher amounts of coverage are available for firms facing more complex cyber risks.Echoing Tom’s sentiments, I highly advise that one of the first steps you should take when looking into cyber insurance is to analyze all of your data and classify it so both you, and your insurance broker, know exactly what you are dealing with. If your organisation has a large volume of highly sensitive data you will clearly want to invest in a more comprehensive cyber insurance policy, and vice versa.Secondly, I would advise that you evaluate data management and governance solutions that can provide real-time insights and alerts about the movement of your organisation’s data. Deploying one of these solutions will not only make protecting your data easier, it will make your organisation more insurable in the eyes of providers. Some early conversations with brokers have suggested that there may even be discounts available for clients who deploy these types of solutions in the future.

Read more: How Organisations Should Be Preparing for the GDPR

Given the complexities, ever-changing threats, and limited historic data that exists around cyber security, it is worthwhile to be as proactive as possible. Uncertainty can result in higher premiums, and the cost of cyber insurance can be as much as three times higher than more established liability risks. The more detail you can provide about your data and the more protection you can put in place, the more comfortable underwriters will feel about insuring your organisation.See the featured article on Computer Business Review