“Companies that contained a breach in less than 30 days saved over $1 million as compared to those that took more than 30 days to resolve.”
-“2018 Cost of a Data Breach Study: Global Overview” by Ponemon Institute, LLC (sponsored by IBM), pg. 9.
“Physician, heal thyself.”
Facing a New Challenge
Once your client has filled out the five, seven, or seventeen-page application required to get a quote for traditional cyber insurance, wouldn’t it be sensible if they and you could ask some questions right back to the prospective insurer?
With all of the detail required regarding record counts and servers and policies, procedures, and contract terms with vendors and cloud providers, someone should really stop and ask the carrier, “How quickly can you help us resolve an issue?” Or, more to the point, “How qualified and prepared are you really to protect my business and your balance sheet?”
In a way, it’s an exciting time to be a cyber insurer in that there are still so many ways that an insurance company can impact its bottom-line results through service. In addition to helping clients mitigate risk, it’s clear that adequate incident response can have a material impact on financial results. The problem is that all of this is harder than it sounds.
Insurance companies are not cyber security experts. Becoming a cyber security expert (or even hiring the right one) is no easy task. Two things have to happen in order for an insurer to provide incident response that will result in a meaningful impact to results:
- The insurer has to be qualified to provide cyber incident response services.
- The policyholder has to believe that the insurer is its best path to incident resolution.
Number 1 is hard enough, but number 2 requires a special level of credibility and communication. The way we know it’s not happening is that insurance companies still find their insureds trying to self-manage breaches, apparently believing that they are in a better position to solve the issue themselves without having to report a claim and pay a deductible.
How Do You Solve The Problem?
- Provide qualified support: Your clients need to call someone qualified to help them understand their situation. That can’t just be a number to file a claim.
Paladin’s response team have experience with governmental investigation agencies and cyber response teams for large tech companies. No insurance company claims examiner or assigned breach counsel can give you that kind of expertise.
- Present yourself as call number one: Policyholder needs to know they can have someone to call to solve problems, rather than just the call you make to report a claim. Many times, those will be one and the same, but not always.
Paladin is a risk consultant to its insureds, so we’ve designed clear ways to get that consulting service even if you’re not ready to report a claim.
We’re excited to bring a new level of pre-breach service to small businesses in the US, but we’re equally enthusiastic about what we can do for people when it comes to incident response. The numbers are clear: if we are able to provide a qualified response service, our program’s loss results will see a significant positive impact. Even better, those positive results can then be passed on to small businesses in the form of lower premiums.
One of the most powerful underwriting tools at the disposal of cyber insurers has nothing to do with the application. As cyber insurance underwriters, we need to provide the best version of the service we say we provide. Paladin is ready to lead the way.