Cyber insurance covers your association when your cybersecurity measures fail, but how do you know whether your association needs it? Here are a few questions to ponder.
When our daughter entered toddlerhood, my husband and I kid-proofed our house. We inserted outlet covers, we locked cabinets, we put cleaning chemicals and medicines on high shelves, and we made sure that furniture couldn’t topple over, all to protect her from harming herself or our stuff.
Well, one day, not too long ago, there was a span of 10 minutes or so, which in retrospect, I should’ve realized were way too quiet. (It’s always way too quiet when the kids are plotting something). In those 10 minutes, my then two-year-old had dragged a stool over to the bathroom drawer, opened it up, found my red lipstick, and liberally applied it all over her face, arms, and legs. Our home had been breached, despite our best child-proofing efforts.
To right this wrong, all that was required was a stern word (ahem, muffled laughter), a bath, and a new spot for my makeup, but when an association experiences a breach—especially a cyber breach—the fallout can be much worse, particularly if it doesn’t have a cyber insurance policy.
“Depending on your organization’s exposure to cyber liability, you may feel the cost of purchasing a cyber-liability policy is not cost-effective for your organization,” said Pam Townley, VP of cyber at AXIS Capital, during a recent ASAE webinar “Ask the Insurance Nerds: Cyber Security.”
So, how do you go about determining your exposure to a cyber breach, figuring out if you need a cyber insurance policy, and determining which kind of cyber coverage is required?
According the webinar’s panel of experts, here are a few questions to ask:
- Do you obtain personally identifiable information (PII), such as the social security number, date of birth, driver’s license number, and so forth of your employees, members, or customers?
- Do you obtain protected health information (PHI) or medical information of your employees?
- Do you collect payment card industry (PCI) data from your members or customers?
- Do you collect any other confidential corporate information from your members or customers?
If you answered “yes” to any one of those, then you do have some cyber-liability exposure that you should consider addressing via a cyber insurance policy. “If information is being collected on your behalf, it is your responsibility,” said Eric Johnson, VP of Affinity Nonprofits, and that data is the association’s responsibility even if there is a third party involved in the collection or management of it.
Organizations tend to not realize that the cost of responding to a cyber data breach can be very expensive, Townley said on the webinar. As of November 2016, Townley said that the average estimated cost per compromised record was $214. (Warning: Multiplying that cost by the number of member records your association has could keep you up at night).
But as with all insurance policies, there’s no one-size-fits-all when it comes to cyber insurance. Associations should complete a detailed risk assessment in order to find the best policy for their particular set of risk factors.
According to the webinar organizers, this risk assessment should include the following questions:
- How many unique records are in your care?
- What types of data do you have (PII, PHI, PCI, among others)?
- What types of regulatory compliance is required, based on the types of data you have?
Once this assessment is complete, your association may decide to get cyber-liability insurance.
If you do, Johnson recommends working with an insurance expert to help you select a policy that’s best-suited for your organization. This expert can also help you understand all the complexities and options out there.
After you have a policy in place, it could offer a number of benefits should your association face a breach. For example, in the case that member data is compromised, you’ll have experts on hand to help direct your association on what response is required. You’ll also have access to risk-management or educational tools to help reduce your cyber-liability exposure, said Townley. And depending on what kind of policy your association takes out, insurance might cover expenses related to regulatory fines, investigations, third-party damages, and more.
How has your organization benefited from a cyber-liability insurance policy? Let us know in the comments.