The National Association of Insurance Commissioners (NAIC) Cybersecurity Task Force reported that insurance companies “will probably want to see the business’ disaster response plan and evaluate it with respect to the business’ risk management of its networks, its website, its physical assets and its intellectual property.” The November 17, 2016 NAIC Cybersecurity report made it clear that going forward businesses must have IRPs or else the might not be eligible for cyber insurance “policies might include one or more of the following types of coverage”:

Liability for security or privacy breaches. This would include loss of confidential information by allowing, or failing to prevent, unauthorized access to computer systems.

The costs associated with a privacy breach, such as consumer notification, customer support and costs of providing credit monitoring services to affected consumers.

The costs associated with restoring, updating or replacing business assets stored electronically.

Business interruption and extra expense related to a security or privacy breach.

Liability associated with libel, slander, copyright infringement, product disparagement or reputational damage to others when the allegations involve a business website, social media or print media.

Expenses related to cyber extortion or cyber terrorism. Coverage for expenses related to regulatory compliance for billing errors, physician self-referral proceedings and

Emergency Medical Treatment and Active Labor Act proceedings.

It seems likely that businesses without IRPs are less prepared for the cyber intrusions that will occur…when, not if, and may not have cyber insurance!