The First Step In Cyber Insurance: Know Your Risk And What You're Insuring Against.
The First Step in Cyber Insurance: Know YourRisk and What you’re Insuring Against.Cyber insurance provides an opportunity to address residual risk in your information security program to offset the costsdue to a data breach of ePHI. However, individuals polices, coverage and exclusions are highly variable, so just like anysecurity control its important to understand your security risk profile before an appropriate security insurance policy canbe defined. An assessment, such as a HIPAA Security Risk Analysis should be the first step in any insurance policystrategy. Heres why:Youll have to do one anyway. The most important factor in most enterprise cyber insurance rates is the state of yourcurrent security controls and your revenue. So not only is a security risk analysis an essential part of any robustinformation security program that you should be doing anyway, but this will be a factor in your rates and likely arequirement before you secure a policy.The safest approach is to avoid a breach in the first place. Most policies will require substantial out-of-pocket expenses tobe paid by the insured regardless of your coverage. No insurance can fully replace lost productivity and brand damage dueto a breach. A recent study released by Carnegie Mellon University (and others), “An Empirical Analysis of Data BreachLitigation,”notes that “the odds of a settlement are found to be 10 times greater when the breach is caused by a cyber-attack, relative to lost or stolen hardware, and the compromise of medical data increases the probability of settlement by31%.” Thus, insure against theft but still spend money on locks for your doors!Your risk profile will enable a better tailored policy. Cyber insurance policy coverage is highly variable and configurable.Policy buyers need to be aware of what is covered and that distinct coverage, limits, and deductibles may apply forindividual risk categories. In order to ensure that a policy is tailored for your individual risk profile its important tounderstand where your risk lies. Areas that can be insured typically include regulatory fines and penalties, claims andlawsuits and response costs such as breach notification for affected customers, credit monitoring, forensic analysis, legalfees, and public relations outreach.Do you really know where your risk is? A key area of risk that a security risk analysis illuminates can be the extent thatBusiness Associates (BA) factor into your overall risk. Our experience is that BAs often pose more risk than might beexpected in terms of the amount of ePHI that they access and/or host because their security controls are not always on parwith that of the healthcare organization that provided the data despite the Business Associate Agreement that is in place.This is particularly relevant when the BA is a cloud provider. A security risk analysis should clarify the extent of cloud-based and BA risk so that this critical part of the policy can be defined appropriately.Cyber insurance can prove to be an effective tool for mitigating the fiscal impact of an ePHI data breach. With properpolicy review and selection, guided by an informed view of your risk profile, its more likely that such a policy can achieveyour objectives and be accurately scoped. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM