One interesting myth that we routinely run into is the misunderstanding of insurance coverage – many business owners and managers have the incorrect assumption that their business liability insurance will cover any and all losses associated with "being hacked" or if somehow their customers' data is breached.
Many business owners incorrectly assume that their business liability insurance will cover any and all losses in the event that their customers' data is breached. However, typical general liability insurance provides absolutely no insurance coverage for cyber incidents, such as being hacked. While there are special policies referred to as cyber liability insurance, these include a section called network security coverage that protects businesses for both first-party and third party liabilities arising from a data breach event. Cyber liability is a generic term for an insurance policy that covers issues such as identity theft from computer network data and paper files. However, in order to cash in on this special insurance, a one must be compliant with applicable privacy and data breach standards and laws (PCI DSS, HIPAA, etc.) at the time the policy is written and attest to compliance on the insurance application. The twist to cyber liability insurance is that insurance companies are not going to take your word for it that you were compliant with requirements at the time of the breach. Coverage is oftentimes denied because a company cannot sufficiently prove compliance at the time of the breach. Unfortunately, this is one of those life lessons that many businesses find out too late.
Dara Security is able to review your current or potential policy and identify if it is adequately transferring your risk to the insurer, or if it is simply wasted money. While insurance companies will perform some limited up-front assessment, it is your obligation to ensure that you meet all of the terms of your policies. Dara Security can perform an assessment to determine what your organization's data assets actually are, and who holds them. Next, we can work with you to identify what a loss event would actually look like for your organization. Then we are able to review any cyber liability insurance policies already in or to be in place to ensure that these are crafted to protect the right data assets in an actual loss event. Finally, we can ensure that you have a security program in place that meets the insurance requirements needed for a payout due to a breach. This helps to ensure that every dollar spent on insurance is addressing exactly the expected amount of financial risk.