Earlier this year, Assemblyman Edwin Chau (D-Monterey Park) introduced Assembly Bill 2320. AB 2320, if passed, would require any business that contracts with the state and has access to records containing personal information protected under the state’s Information Practices Act (IPA) to maintain cyber insurance coverage. Information covered under the IPA includes names, social security numbers, physical descriptions, home addresses, home telephone numbers, education, financial matters, and medical or employment history. Requiring contractors to maintain cyber insurance will likely both shift the costs of cyberattacks from taxpayers to the private sector, while also encouraging robust cyber security practices among businesses of all sizes. While the bill has not yet passed, businesses will be best served by implementing and improving cybersecurity practices now in order to attain lowest premium rates in the future.
Incentivizing Best Practices
With the adoption of AB 2320, businesses will be incentivized to increase their security posture in order to receive lower premiums from insurers. Simultaneously, insurers will be incentivized to mandate best practices from their insureds in order to mitigate their risk of having to pay out on cyber insurance policies. Thus, cyber insurance will work as a vehicle to increase best practices in businesses and subsequently decrease vulnerabilities to cyberattacks.
Shifting Costs to Private Sector
Cyberattacks have become more frequent and are increasingly expensive. On average, cyber incidents cost $200,000, according to insurance carrier Hiscox. Small businesses take the biggest hit as 60% of affected businesses go out of business within six months. If these small businesses are required to maintain cyber insurance, the cost of these cyber incidents shift to the insurer, reducing the number of small businesses that will be bankrupted by cyberattacks.
What Can You Do?
In order to best protect your business and also ensure you receive the lowest premiums from insurers it is pertinent to maintain the best cybersecurity practices possible. Newmeyer Dillion recommends the following practices to protect your business from cyber threats:
- Develop a risk assessment process to identify and mitigate cybersecurity risks
- Adopt and implement policies and procedures regarding identified risks
- Implement updated controls to determine appropriate users for organization systems
- Establish policies and procedures for mobile device use and implement security measures for internal and external users
- Establish a vendor management program to ensure that vendors meet your organization security requirements
- Train staff to implement cybersecurity established policies