With increased frequency businesses of all sizes find themselves victims of cyber-crime. Whether it’s a breach of valuable data, disruption of services, loss of intellectual property, damage to reputation or damage to critical infrastructure, the costs can be catastrophic.
For this reason, the ability to identify and respond to evolving threats is increasingly important and will largely determine the outcome of a cyber-event.
The effectiveness of these strategies often depends upon resources a firm has in place to identify, defend against, and soften the impact of an event.
These resources are broad in their expertise and remit as well as being numerous in quantity. Here, we have identified some of the key players in the cyber risk sector and outlined the role they play in cyber risk mitigation and transfer.
In the privacy and data security realm, the regulator’s responsibility typically is to compel organizations to protect specified types of information.
In the US there is no all-encompassing law or regulatory body responsible for privacy and cyber security.
Rather, there’s a patchwork of state and federal regulations that focus on specific industries or populations, each with their own regulatory body.
The payment card industry also acts as a de facto regulator for credit and debit card transactions through private enforcement of the Payment Card Industry Data Security Standard (PCI DSS).
Cyber security and privacy legal specialists play an important role both in preparing for and responding to a cyber-event. For the vast majority of companies who collect and are responsible for safeguarding personal identifiable information (PII), obtaining legal counsel in crafting contractual language and remaining compliant with privacy laws and regulations both at home and abroad is crucial to managing cyber risk.
When a breach of PII does occur, lawyers specializing in cybersecurity and privacy assist companies with tasks such as navigating state breach notification laws, hiring cyber-forensic firms, and preparing for the regulatory scrutiny and litigation that will likely ensue.
The secrecy afforded via the attorney client privilege also helps protect companies from self-incrimination based on information obtained while performing internal investigations and due diligence.
In no particular order, some of the most active law firms in this specialty are included in the table here:
Insurers and Brokers
The cyber risk landscape is perpetually changing. As a result, cyber insurance policy forms are also evolving in order to stay relevant. Good insurance brokers understand their client’s unique exposures and help design insurance programs that leverage the ever increasing number of cyber-related products.
Insurers offering cyber products frequently do more than just provide risk transfer capacity.
Many have relationships with experts and service vendors that can help guide and support their insureds in the event of a loss. In short, they provide both indemnity and claims management support.
Advisen estimates that globally there are approximately fifty carriers that have a cyber-related product offering.
Based on Advisen’s data and a survey of leading cyber brokers, of the fifty, Advisen believes the following are the top five cyber insurers of US business by premium volume.
• Lloyd’s of London
The chart below shows average policy limit and average premium based on Advisen Market Insight transaction data for the five largest carriers.
Limits on average, range from $4.2 million to $7.5 million.
At about $19,000, Beazley is achieving the highest rate per $1 million of limit, though rate-per-million does not account for potentially material differences in coverage provided by the various carriers.
Security Consultants and Vendors
Security consultants provide expert insight into cyber-security risks, develop strategies to manage the risks, test the effectiveness of defenses and assist with developing comprehensive incident response plans. Developing custom-tailored security programs helps organizations be better prepared to defend against threats, comply with privacy and security laws and minimize the economic and reputational consequences of a cyber-incident.
Cyber Forensic Firms
Cyber forensic s and security consulting frequently overlap. The principal distinction between the two is that security consultants primarily help to prevent a loss while forensic firms are essentially the first responders called in to manage the risks after an event has occurred. Their responsibilities include identifying the source of a loss, remediating the ongoing threats and recovering lost data.
Crisis Response Firms (Public Relations)
Amid the many risks associated with a cyber-event, a damaged reputation can be among the most costly. An inability to communicate effectively with regulators, shareholders, customers and the media can result in greater economic loss for the victimized company. Crisis response firms have the expertise to help a company prepare in advance to respond to an event and to guide a company through the public relations nightmare that can follow a data breach or other cyber-event.