The 20’s Super Simple Guide to Cyber Insurance
Part 4 – Cyber Insurance and Scope of Data
Cyber insurance is all about probability. How likely is it that your business will suffer a cyberattack? And what would the costs of such an attack likely be? But how do cyber insurance underwriters think about your ‘risk level’ as an organization?
The same way hackers do – in terms of data! Data is the name of the game. Your company’s sweet, sweet data is what cybercriminals crave, because data is what makes them money.
This brings us to our topic for part 4 of The 20’s Super Simple Guide to Cyber Insurance: Scope of Data. If you’re applying for a cyber insurance policy, you’ll want to make sure you have a clear idea of what your organization’s scope of data is. So, let’s discuss what ‘scope of data’ means, and why it’s important.
How Much Data?
Scope of data refers to the amount of data at your business. The more data you stand to lose in a cyberattack, the more costly such an attack would be. Target lost a lot of money when they were breached in 2013 ($202 million), and that’s largely because of the sheer amount of stolen data – credit card and debit card information from over 40 million customers!
Bottom line: Before applying for cyber insurance, figure out how much data is at your organization, because you’re going to have a tough time convincing a cyber insurance carrier that you keep a close eye on your data if you don’t even know how much of it there is.
What Kind of Data?
As far as a cyber insurance provider is concerned, the kind of data at your business matters just as much as the amount. When evaluating your ‘cybersecurity posture’ (how good your cybersecurity is overall), a cyber insurance company will want to see that you concentrate your security efforts on protecting your most valuable digital assets.
To understand scope of data, let’s go over some particularly valuable types of data. That way you know where to prioritize your cybersecurity efforts.
Personally Identifiable Information (PII)
This is a big one. In 2023, customer PII was exposed in 52% of data breaches, and customer PII was also the costliest type of data to lose, setting businesses back $183 per record on average. Moreover, major compliance regulations, including HIPAA and PCI-DSS, include guidelines and standards for how businesses ought to handle their customers’ PII.
PII is any information that can be used, either by itself or in conjunction with other information, to identify a particular individual. Here’s a list of common types of PII that hackers like to steal:
- Credit card and debit card numbers
- Social security numbers
- Driver’s license numbers
- Medical records
- Full names
- Email addresses
Bottom line: Use robust cybersecurity tools and practices like encryption and multi-factor authentication (MFA) to protect the PII at your company like your business depends on it – because it does! And, if you want to purchase a cyber insurance policy, expect carriers to ask you questions about how you handle PII. The more details you can give them on scope of data to put their minds at ease, the better.
Passwords
Though technically a type of PII, passwords deserve their own discussion. Poor password management practices are rampant – a large reason why cybercrime is too. The Ponemon Institute surveyed IT professionals in 2020 and a shocking 42% reported that their organizations still use sticky notes to keep track of passwords.
Bottom line: Passwords are valuable data, and if you aren’t using password management software to store passwords in a secure manner, you’re going to make cyber insurance carriers very nervous – and with good reason! Check out our full blog to learn all about this security-boosting tool.
Intellectual Property
One way to determine the value of data is by asking: “How much does my company rely on this data to operate efficiently and profitably?”
If the data in question is intellectual property – your organization’s trade secret, for instance – the answer to that question can be “a lot”!
Bottom line: When implementing security solutions at your organization, don’t forget about intellectual property. It needs to be protected too, and cyber insurance companies will want to see evidence that you’re taking appropriate measures to keep your intellectual property from falling into the wrong hands.
Where is Your Data?
Your scope of data is as much about the where as it is the what and the how much. Is your data in cloud repositories such as Dropbox and OneDrive? Or is it all locally stored on your computer or server hard drives? If you’re shopping for cyber insurance, prepare to demonstrate to carriers that your organization’s data is kept in secure places.
And remember, “secure” doesn’t necessarily mean on-premises. Despite widespread fears about the safety of using the cloud, a secure cloud can be a much safer option than an onsite storage solution. That’s because cloud providers – like Microsoft – offer some seriously powerful security measures and disaster recovery protection plans that help keep your data safe and sound.
What’s Next?
Hopefully this overview of Scope of Data was helpful. We’re over halfway through our cyber insurance journey, but there’s still plenty more to cover! Next, we’ll explore the importance of cyber insurance and multi-factor authentication, highlighting why insurance carriers and security experts view these tools as essential. Stay tuned!
Missed out on the series? Start here…