Go to:

February 2019
< Jan Mar >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

The Role of Insurance in Data Breach Risks
Monday, December 16, 2013 6:45 AM

The risk of a data breach is equal to or greater than the risk of natural disasters, business interruption, fires and similar insurable risks, according to 76 percent of the employees involved in business risk management surveyed by the Ponemon Institute. The institute’s August 2013 research report also notes that 56 percent of the organizations surveyed had been victims of a data breach within the previous two years.

According to Ken Otsuka, senior risk management consultant for a CUNA Mutual Group, a credit union’s Bond policy and other insurance policies may cover certain types of losses associated with a data breach. However, if a credit union doesn’t have a policy specifically dedicated to the growing array of data breach risks; they should review their overall exposure to these risks.

 Basic Elements of Cyber Crime Insurance:

  • Security Breach Liability: The most basic element of a cyber-liability policy helps protect your credit union against liability for damages caused by a security breach. For example, your employee’s laptop containing members’ account data is stolen, or your network is hacked by a criminal who steals credit card information. A court may award damages to other financial institutions that sue your credit union for negligence, such as faulty data security. If your credit union is responsible for theft of credit card numbers and CVV codes, the card provider may sue for the expense of notifying your members, blocking and re-issuing cards, etc.
  • Programming errors and omissions liability: If members sue your credit union for an error that publicly discloses their private financial information.
  • Public relations expense: For professional public relations help in correcting misinformation and in mitigating damage to your credit union’s reputation among your members and the community at large.
  • Security breach expense: Such as hiring a forensic auditor to determine the extent of the breach, notifying affected members, handling members’ enquiries, etc.
  • Website publishing liability: Especially important for credit unions that host social networking programs such as Facebook on their website. Defamation of competitors is a typical risk, if users post negative comments about other financial institutions. A variety of coverages beyond these basics are available to protect your credit union from the potentially catastrophic losses caused by data breaches.
  • Network Security Tactics: Insurance is critical, but perhaps your best protection is an annual thorough review of your network security. Consider these prevention tactics:
  • Protect data in storage and during processing Encrypt confidential member data (PII- personally identifiable information):
    • Residing anywhere on your network.
    • Residing in mobile devices, laptops, external storage media such as backup drives, etc.
    • Transmitted over the internet.
  • Establish a policy for acceptable use of internet/email: Reduces the risk of infecting workstation computers/credit union network with malware, viruses, etc.
  • Protect against employees seeking to steal confidential member data: Lockdown USB ports and CD ROM drives on workstation computers
  • Educate employees to reduce errors: Instruct employees how to dispose of anything containing PII, such as old tape drives, disk drives, etc. Include proper disposal for paper records containing confidential member data.
  • Establish and continually update IT controls, including:
  • Firewalls
  • Antivirus protection
  • Intrusion detection system
  • Operating patches
  • Vulnerability assessments
  • Penetration testing
  • Anti-spam protection
  • Encryption solution

“The ability to protect members’ PII paired with cyber liability insurance, will help minimize potential threats to financial, legal (compliance) and reputation risk in the event of a data breach,” says Otsuka.