Derek S. Symer is director of nonprofits at AHT Insurance in Leesburg, Virginia, and a member of ASAE’s Finance and Business Operations Professionals Advisory Council.
Many associations have cyber liability insurance, but they may not be familiar with all of its features. Check your policy to make sure you’re taking advantage of risk management tools included in your coverage.
Most associations understand the need for cyber insurance as a risk transfer tool. The question is no longer, “Do we have or need cyber coverage?” but rather, “What does our cyber insurance policy cover, and what resources might be embedded in that policy that we can use proactively?”
Unlike other insurance policies, which contain language that can remain unchanged for years, insurance coverage for cyber risk is dynamic. Cyber policy coverage changes rapidly to keep pace with new and emerging threats and to allow insurance underwriters to manage their financial exposure.
Therefore, it is critical to review your cyber coverage regularly and to understand what tools are available in your policy. Cyber insurance offers many proactive risk management options and “throw-ins,” which are likely already embedded in your current coverage. You are paying for these tools, so why not use them?
Here are three areas where you might be underutilizing embedded services, as well as important factors to consider before your association experiences a breach or hack.
Do you know who to turn to in the event of a cyber incident? Do you know who to immediately contact when something happens? Follow some best practices to ensure you’re prepared to respond promptly.
Your association may have preferred providers that you work with to perform technology services. Likewise, it is important to pre-select third-party vendors you will work with following a breach. Often, your insurance broker can help coordinate with your cyber liability insurer to set up many of those third-party relationships. Or the broker can introduce you to the insurance company’s pre-selected providers, which typically would include a breach coach, public relations support, and forensic IT support.
Cyber policy coverage changes rapidly to keep pace with new and emerging threats and to allow insurance underwriters to manage their financial exposure.
Additionally, it is important to reinforce and supplement your risk management procedures with annual testing and tabletop exercises to test their validity and strength. Before a breach occurs and gives rise to a cyber liability claim, be sure you understand the provisions of your IT and data contracts and how liability flows through them.
The rationale for many tools in cyber insurance policies is to help your organization mitigate risk and prevent or control the damage when a breach happens. Some common complementary tools and services include:
Another pre-loss service is “shunning,” which is offered by a third party the insurer has selected. Shunning prevents cyber criminals from surveilling your IP addresses as targets to breach. It can also prevent outward traffic from your network once a wrongdoer has deployed malware.
Other tools can help your association better understand the amount and type of data that you store. One type of service allows customers to obtain a global, holistic picture of their IT assets. It can also assist in better aligning your IT and operational controls with the proper insurance coverage. Another resource assesses the potential financial impact of a breach by analyzing the personally identifiable information and personal health information the organization holds and the associated risk of financial loss.
Most associations understand the risk of a data breach and purchase cyber liability insurance. The next step is better understanding how cyber coverage will help your organization before and after a breach. Talk with your broker and insurer about what “value added” and pre-loss services your policy offers.