What would your agency do if you had a Data Breach?
A full 80 percent of businesses that experience a breach do not recover and go out of business in 6 months. The right insurance can keep your agency from becoming part of this startling statistic. The Independent Insurance Agents of Wisconsin (IIAW) offers our members an exclusive program to help protect their agencies from information security breaches.
Data Breach Expertise
Since no two Data Breach policies will use the same forms or definitions, it’s a very daunting task to attempt a side-by-side comparison. However, there are some commonly misunderstood Data Breach topics, myths and frequently asked questions that we often run into and want to share with you:
- Don’t Compare Your Policy By Limits Alone. Even if two policy forms were identical, they may have different limit structures. Many monoline policies offer several “buckets” of coverage rather than one single limit to cover all included exposure. For example, our Beazley policy offers three “buckets” of limits. If our policy has $1,000,000 limits, then it would include a bucket of $1,000,000 for the Limit of Liability (see Policy Definitions), a separate bucket of $1,000,000 for Legal, Forensics & Public Relations outside of the Limit of Liability and a separate bucket with no monetary limit for records notification. Rather, the Notification Limit is a number of records which is easier for you to define and make a purchase decision. If you know your agency has under 50,000 records for example, you can make a very informed purchase decision for your notification limit.
- An Endorsement to a GL, BOP or even Professional Liability policy is not the same as a monoline policy. The reasons for this are endless: small sub-limits(link to what coverage limits do I need), limited coverage (link to What Coverage Is Often Missing From Policy Form, restrictive exclusions (link to What Exclusions or Policy Provisions Should I Watch For) and these policies are typically reimbursement policies (link to What is the difference in how policies respond?)
- Not adequate coverage to get your agency fully up and running after a breach. You would never recommend to one of your insureds that they only purchase $25,000 in property limits on their house because “it’s better than nothing”. Paying premium for coverage or a policy that doesn’t fully indemnify you and keep you in business is never better than nothing.
- Notification Threshold – We go over this in the Policy Definitions section of a policy, but it’s worth its own mention as it’s one of the most common definitions I’m asked to clarify and is more often than not misunderstood as a deductible. This threshold only pertains to the notification letter, call center and credit monitoring services. If the breach affects over 100 records, these services are activated. If it does not, only the legal, forensics and crisis management services will be activated. It’s really a threshold of the organization of how the policy will respond and the threshold is governed by law.
- What limits of coverage do I need? Data breach experts recommend no less than $1,000,000. Although, this is such a subjective question. According to a 2016 Ponemon Study, the average breach costs $221 per record to the responsible party. (Remember, the amount of records you have is not equal to your policy count. Think of an auto policy for a family of 4 drivers, that’s 4 records you have on file for just one policy.) It’s an easy multiplication equation.
- What Coverage Is Often Missing From Policy Form? First Party Coverage – Often I’ll see an endorsement or policy that will respond for the party who’s information was breached (Third Party Coverage), but not include any monies to help your agency deal with a breach. So your customers would be taken care of, but you’d likely still go out of business with no policy to protect your needs.
- What Exclusions or Policy Provisions Should I Watch For?
- The application warrants the policy, so what has changed since you completed the application? Are all your devices still encrypted? Is all your software most current? If you answered favorable to all these questions on the application that is now part of the policy, the carrier could subrogate the cost of a breach back to you.
- What is the difference in how policies respond?
- Our Policy Includes Business Income. The 2016 Ponemon Data Breach study revealed an increase in the cost of a breach. One pointed reason being that the loss of customers increased the cost of data breach. This cost component includes the abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill (see Policy Definitions for PR coverage).
- Myth: Reimbursement for stolen funds is included in a Data Breach policy.
Risk Management Assessment
Organizations of all sizes need to mitigate their information risk. Are you covered properly? Take our assessment to find out.Next: Risk Management Assessment