It is a dire message for business owners, that a hacker or cyber terrorist is lurking out there to ruin them. But it is a message brokers must deliver to their clients, says one industry expert.
But the good news for brokers is, the cyber liability product will take off this year – and the role of the broker as a trusted advisor will take flight as well.
“It will be the hottest product of 2015,” says John Farley, the head of Cyber Risk at Hub International. “It is astounding how quickly hacking discussions have gone from a privacy issue to a matter of national security in just a few weeks. The hack of the government Twitter site is an example of that.”
Farley is referring to the recent ISIS hack of the U.S. Army’s Twitter feed, which took many top officials in Washington D.C. by surprise.
“Some top government groups and large multinational companies like Sony that have sufficient resources to fend off attacks, it still seems to happen on a daily basis,” Farley told Insurance Business. “Look at Target – they are spending hundreds of millions of dollars to recover from their one hacking event.”
Back in December 2013, Target stores suffered a cyber breach affected 40 million credit and debit cards, and the release of some personal information of upwards of 110 million Target shoppers.
Now, a District Court judge in that company’s home state of Minnesota has cleared the way for lawsuits.
But how safe are you or your clients from a data breach?
“If the U.S. Twitter account can be hacked,” says Farley, “the message is clear – no one is safe.”
But this is where brokers can play an instrumental role in preparing their clients for a data breach. And it comes down to prevention, mitigation and how to recover.
“These incidents underscore the importance of performing due diligence with all vendor relationships, before, during and after contracting services,” says Farley. “Lessons learned from these high profile breaches can benefit other organizations.
Some of those best practices that your clients should follow are:
- Ask to review vendor reports on background checks conducted on any employees who may have access to sensitive data;
- Review the company's written data governance policies and breach response procedures;
- Obtain results of any internal or external data security audits, and find out how often these audits are conducted;
- Ask for details on any prior data security incidents the vendor may have experienced;
- Know exactly where your data resides, and be sure you know where your vendor may be sending it;
- Contracts with vendors should have indemnity language included, where the vendor holds the organization harmless for breaches of data being held;
- There should also be a termination agreement that allows the organization to gain control of the data in the event of a breach; and
- Demand proof of insurance coverage that will cover both the vendor and the organization in the event of a breach.