More Laws Drive Demand for Cyber Insurance

December 28, 2015| Von Mindy Pollack | Cyber Risk | English

Region: North America

Connecticut made cyber insurance news in 2015 when its legislature passed the broadest law in the country, requiring businesses to offer customers ID theft and loss mitigation services after a breach. Businesses already had to investigate and notify affected consumers, as well as inform the state attorney general. Now, under SB 949, they must extend breach services, too.

The Laws

Connecticut will probably not be the last state to mandate the provision of breach services to affected consumers. In fact, the Connecticut law closely follows the California statute passed last year, so there is good reason to expect more jurisdictions to use the new law as a model.

If a small business discovers a breach of electronic data after October 1, 2015 that is affecting Connecticut residents, it must offer customers:

  • “Appropriate” identity theft prevention services
  • ID theft mitigation services, if applicable
  • At least 12 months of such free service(s)

California’s requirements have a narrower scope; its law only applies when the breach involves one of three types of personal information: Social Security number, driver’s license number or state ID number.

The Connecticut state law starts there, and then adds health information, credit/debit card numbers, bank account numbers and more. Who will be next?

The reality is that consumers are demanding protection and these services with or without state laws. Recent surveys found that, after a breach:

  • 84% of customers say notification and communication are critical to regaining trust
  • 63% expect ID theft protection
  • 58% expect credit monitoring

That creates an enormous challenge for a small business. How does the business owner find these services when he or she learns of a breach? How do business owners know if the service providers are capable and will help their customers?

The Solution

"Choose the right Breach Response and Cyber Liability (Cyber) insurance" is a great answer. The typical Cyber policy embeds ID theft prevention, security monitoring and ID restoration services. With a Cyber policy, the business owner does not have to find vendors or worry about what it will cost. The services are part of the insurance policy. All it takes to access the services is an email or phone call. That is how Gen Re’s Cyber product works; all coverage and services are embedded in the policy.

What’s the value to a business? Perhaps the greatest value is having these loss mitigation services “on call” when a breach occurs. The economics also make sense. The premium for a low-limit roll-on policy can start at under $100.

Not all Data Breach Response and Cyber Liability insurance policies and services are alike. The expertise of the breach service provider, the scope of coverage, limits and sublimits…all of these differences can matter. Insurers, agents and customers need to become knowledgeable about the products and breach service providers. That requires getting beyond bullet points on a flyer. Fortunately, a lot more information is available now for getting a good cyber insurance education.

So let the laws come on. With the right Cyber insurance policy, a business owner has something less to worry about. If we can help, let us know.

  1. Ponemon Institute
  2. Qualtrics survey

Our Expertise: Data Breach Response and Cyber Liability. Learn more about our insurance and reinsurance solutions.


Stay Up to Date. Subscribe Today.


Lernen Sie unsere Experten kennen

View Contributors