While many carriers of cyber liability insurance claim the savings is due to the swift response and reporting of compromised records, security officials believe there’s such a thing as acting too quickly.
“Will you save money by reporting a breach right away? The real answer is that it depends,” said Jake Kouns, chief information security officer with Risk Based Security. “If you jump to conclusions and get under the impression that you need to immediately respond to a breach, it can cost you far, far more than if you take your time to figure out what’s going on.”
That message is slightly different than the one being marketed by carriers.
“Businesses are going to want to respond in real time,” said Ken Goldstein, vice president and worldwide cyber security manager for Chubb, which sells an incident response template. “If you don’t respond to a data breach right away, you have heightened litigation and reputational risks to deal with. On average, you’re looking at a legal time frame of 30 or 45 days.”
Having a detailed incident response plans for data breaches can save up to $42 per compromised record, a recent study by the Ponemon Institute found. While Kouns agrees that notifying legal bodies and affected parties is vital for avoiding legal action and preserving reputation, he thinks most companies can get by with simpler measures than those in an incident response plan—at least at first.
“At the end of the day, each breach needs to be looked at very carefully. There’s nothing wrong with a simple email to the attorney general,” he said. “That way, you head it off without the confusion and costs of notifying everyone.”
Both Goldstein and Kouns said insurance producers should keep these timeframes and lessons in mind when selling cyber liability policies to clients.
According to Goldstein, brokers and independent agents even preserve reputation and profits by pushing cyber liability policies that ensure fast-acting response plans.
“From a broker perspective, you’re looking at helping your client manage risk and get seamless coverage between management liability and property and casualty lines,” he said. “Carriers recognize the better coverage provided by the broker and keep that in mind in the future.”
Data breach response plans typically include a template clients can use to hire professional services like lawyers and a reliable IT team to investigate data breaches. Some companies may also invest in hiring communications services that send immediate notification to customers or employees whose records have been compromised.