November 23, 2009
Recently in the Kansas City Business Journal there was an article about data theft and the insurance options out there. It is nice to see someone finally bringing this issue to light and I hope this will make people realize that the threat is real. Over the past few months, I’ve spent a considerable amount of time trying to educate my clients and prospects on the need for this type of coverage but many business owners still think they are immune to a data theft.
To read the entire article, click here.
July 22, 2009
Although some carriers and individuals lump Cyber Liability and Data Privacy coverages together, they are different coverages. I wanted to take a few seconds to discuss the differences in the coverages.
July 14, 2009
People have been looking for a tool to eliminate cyber risk for sometime now but have struggled to find something. Not only would a tool help businesses prevent data breaches but it will help insurance underwriters have a better understanding of the risk they’re taking on and allow them to price the data privacy insurance product appropriately.
I got to meet with a local business owner last week who may have the product. He currently has a product that minimizes health, safety, environmental, and other types of risk to help businesses decrease their insurance costs; they distribute their product through a large international insurance company. He was able to show me a product he’s developed that will allow a business owner to do the same thing with cyber risk. So don’t be surprised if you see a product like this on the open market in the next few years!
June 4, 2009
Everytime I start to think I have a grasp on what’s going on in the data security and privacy space, I talk to someone who makes me realize how vast this world is and how much knowledge I have to gain. I met with Chris and Chris, the founders of LockPath this morning and realized that the world of GRC is so massive, I’ve just begun to skim the top of the surface. You may wonder why as an insurance producer I’m interested in GRC but it’s simple. GRC is a great way to rate the potential risk of a business for an insurance underwriter.
I use the example comparing the cost of insuring a brand new Ford Taurus vs. a 2005 Porsche Carerra 4. An underwriter would never charge the same premium for these 2 cars becuase they understand how to qualify each risk. In the case of Data Privacy Insurance, it isn’t as clear which business is the Taurus and which is the Porsche. I’m hoping that we can use the principals of GRC to help underwriters quantify the data privacy risk of a given exposure.
June 3, 2009
- Unauthorized access to, use of, or tampering with data
- Liability arising from denial of service attacks or the inability to access websites or computer systems
- Crisis management and public relations expenses
- Regulatory action defense expenses
- Computer system extortion expenses and losses
- Intentional wrongful conduct of “rogue” employees
- Coverage for punitive damages
- Any form of invasion, infringement or interference with the rights of privacy or publicity
- Business Interruption loss and/or restoration expense incurred as the direct result of an enterprise security event which causes a system failure
- Data restoration costs
- Legal liability, defense costs and expense reimbursement for your business for a personal identity event
” National Underwriter Property & Casualty. November 3, 2008.
June 1, 2009
One of the biggest roadblocks to the emergence of Data Privacy insurance is it’s cost. I believe the challenge in pricing the coverage correctly comes from the underwriters difficulty in grasping the overall data and network security of a business. In talking with businesses, it quickly became clear to me that there were a few characteristics that set a business apart from it’s neighbor in the area of data security. If I can find enough businesses that demonstrate those cahracteristics, I believe we can estable a “premiere” risk class and get competitive pricing on data privacy insurance.
I met with one of those “premiere” risks today and wanted to point out a few of the characteristics that makes them a leader in Healthcare IT Security.
- They have software in place that will detect any rogue wireless access point
- The have policies and procedures when any change is made to a firewall, router, or other piece of network hardware
- All systems are scanned on a weekly basis and they hire a 3rd party to attempt to penetrate various systems on a continuous basis
- Employees are trained annually on protecting sensitive information
- Their data is all stored and backed up in a Tier 2 data center which will become a Tier 3 center in the next year
These are just a few things that I believe a business can do to help establish themselves as a “premiere” data privacy insurance risk.
May 21, 2009
I had the privledge of going to Los Angeles 2 weeks ago to hear Dr. Joel Brenner speak on the topic of network and data security. It was a very small gathering and I got the opportunity to talk to him personally after the event. We discussed the misconception that data loss is covered by a businesses insurance policy and that most businesses were unprepared to deal with a data loss. During his speech he informed us that the Chinese and the Russians have already been seen in our electrical grids and in the networks of our major banks to illustrate how real of an issue this is. He offered us some tips to protecting your companies network security which I’ll share below:
- Identify which information should be protected and for how long
- Make sure to encrypt all extremely sensetive material
- To dispose of sensetive material, shred or make it unreadable
- Do not leave vauable company information unattended in hotel rooms
- E-mail and voicemail passwords must be protected and changed frequently
- All sensitive materials must be removed from conference rooms and chalkboards and whiteobards erased after meetings
- Where possible, conduct background investigations on all individuals with access to sensitive information
- Obtain nondisclosure agreements from employees, vendors, and others with access to proprietary information
These tips were taken from the Department of National Intelligence document Safeguarding Information for the Security Professional. You can get to their website here.