Cyber Insurance: Are you Covered?
Networked computing is now firmly embedded in virtually every business process. Providing a secure and trusted platform for conducting transactions and exchanging information is basic to the value proposition of every financial institution.
The platform, however, is only partly based at the institutions’ physical locations. It has expanded to include a distributed computing system that enables e-commerce with customers, suppliers and partners, which, more and more, is standard operating procedure. Physical limitations have been largely removed by the Internet and by the ability of institutions to connect their own electronic platforms to the Internet’s vast public structure, allowing information to flow easily among internal and remote users.
No matter how good your IT security is, your business is at risk for having your information stolen. Google, Facebook, Citibank, and even the federal government have fallen prey to cyber attacks in the past year.
It’s not just the big name companies that are at risk either – more and more small and mid-sized companies are becoming the victims of online data theft and fraud. While large-scale security breaches tend to get more attention from the media, it makes more sense for hackers to go after the “low hanging fruit” of smaller and more vulnerable companies.
The good news about cyber risks is that most data and privacy breaches are preventable. Only 3% of the 1,700 incidents that occurred in 2010 were considered unavoidable. By carefully considering your liabilities and proactively planning for incidents, you can do a great deal to ensure your company isn’t the next cyber victim.
It's hard to shell out big bucks for things that you hope you'll never use. That's why buying insurance of any kind is such a drag. But when it comes to mitigating risks that could wipe out your entire business in a matter of days, many people opt to play it safe. And there's a new risk in town: cyber risk. Not surprising, following close behind is cyber insurance.
Such policies, which have been around for about five years, are designed to protect businesses should they fall victim to hacker attacks or other forms of online mischief or catastrophe. And more businesses are considering such coverage worth the expense. According to the 2006 CSI/FBI Computer Crime and Security Survey, 29 percent of U.S. companies say they have external insurance policies to manage cyber security risks, up from 25 percent in 2005. It's easy to see why. Nearly all companies now rely heavily on electronic information, which puts them at risk of losing business as a result of network downtime or being held liable by customers as a result of stolen personal data. Buffeted by stories of phishing attacks, spybots, and malicious viruses and worms, what responsible business owner wouldn't be interested in turning a variable risk into a fixed cost?
But purchasing a cyber insurance policy is far from a no-brainer. The policies are often confusing and pricey. The main problem: Cyber risk has been frustratingly difficult for insurers to quantify. Because cyber insurance policies are so new, there is a dearth of actuarial data from which to base the premium rates. "The insurance provisions have been drafted pretty narrowly," says Joshua Gold, a partner at Anderson Kill & Olick, a New York City-based law firm that specializes in representing businesses in insurance disputes. Gold, for example, has reviewed policies that claim to guard against "computer security incidents" on the one hand, but then exclude something as basic as a virus from that definition.
Indeed, because there is next to no case law for precedent in technology-related insurance claims, it's not uncommon for policies to come with four or five pages of single-spaced exclusions to the coverage. Says John Pescatore, an analyst at Gartner (NYSE:IT), an IT research firm based in Stamford, Connecticut: "The price of the policies is too close to the cost of an actual event. You may be better off just spending the money to avoid an incident."
Cyber insurance policies also have been difficult to apply for, often demanding that applicants undergo a third-party audit of their security practices. Fortunately, many carriers have streamlined the process and now write policies based on such factors as the size of the company, the amount of data it holds on file, how many people have access to that information, security policies, whether data is encrypted, and whether the company has experienced losses in the past. Premiums are edging downward, too. At the New York-based insurance giant AIG (NYSE:AIG), for example, a typical policy for a small company could cost as little as $1,000 a year in premiums, with a $1,000 deductible and up to $100,000 in coverage. "We've got a good handle on how to evaluate the risks now," says Nancy Callahan, vice president of AIG's identity theft and fraud division.
Before you begin shopping for a cyber policy, dig up your existing business insurance policy and give it a close read. You might find that you're already covered for many cyber-related incidents. It all depends on how your current policy is worded. As cyber risks have grown, insurers have begun to add language to business liability policies that specifically excludes cyber-related liability. So when it comes to existing insurance, an older plan may actually offer better coverage. "Some of the older general liability plans have good broad coverage," says Gold. Say, for example, an identity thief breaks into your system, steals personal information, and sells it on the Internet. A customer may decide to file suit for a violation of privacy, as well as any monetary damages incurred. Under an existing personal injury plan, there's a pretty good chance that your business would be covered. If not, many carriers will allow you to extend an existing errors and omissions or general liability plan to cover some cyber risks.
For now, experts say that companies that deal heavily in electronic information are the best candidates for a separate cyber insurance plan. That is the case with Scott Paly, the CEO of Global DataGuard, and an IT security products and services provider in Dallas. Like many contractors that are required to obtain errors and omissions insurance by their clients, Paly now is often asked by his customers to get cyber coverage, as well. Paly pays more than the average business would for his insurance, about $11,000 a year, because of the nature of his business. But he views the added insurance as a cost of doing business. That's why he set the deductible high, at $25,000. "We have a high deductible," he says, "because I highly doubt we'll ever have a problem with this."
Nonetheless, insurers are marketing their cyber policies aggressively, and most experts agree that as more business is conducted electronically, the policies will become more widely adopted. "Transferring risk is a legitimate business strategy, and over time I think the insurance companies will be able to offer more compelling products," says Robert Richardson, director of the Computer Security Institute, an industry group for information security professionals. "Of course, there are some things you can't cover with insurance, like loss of customer trust or losses that land you in jail."
Assumptions have been made that a traditional Commercial General Liability (CGL) policy will afford your coverage for business interruption, intellectual property damage, and similar losses. Courts even ruled “physical damage” includes computer information related losses. Insurers are avoiding liability by including specific exclusions and requiring endorsements for this coverage.
However, insurance carriers are now becoming savvy in the technology industry. Product offerings are greater. We are seeing a plethora of cyber insurance products. Knowing the ins and outs of each product will be key in proper policy selection.
Cyber liability coverage includes an e-comprehensive policy. This policy will cover losses caused by fraudulent modification, accidental alteration or destruction to all electronically stored information. In addition, losses caused by malicious copying of trade secrets, extortion, and introduction of a virus would be covered.
Media liability addresses the losses associated with libel, slander, and invasion of privacy and infringement of copyrights.
This may be needed, especially if your employees are given access to email capabilities and Internet access. Email is an essential tool of today’s fast-paced business culture. However, messages taken out of context may cause difficulty. Establish an email usage policy and educate employees on the proper use of emails and surfing the net.
Cyber risk has become a leading issue for many organizations as awareness of cloud computing, social media, corporate Bring Your Own Device policies, big data, and state-sponsored espionage has grown and recently been amplified by President Obama's Cybersecurity Executive Order. In an increasingly punitive legal and regulatory environment, and in the face of more frequent contractual insurance requirements specifying cyber liability, forward -thinking companies are taking proactive steps to explore and transfer cyber risk.
Organizations should be concerned about cyber risk if they:
- Gather, maintain, disseminate or store private information
- Have a high degree of dependency on electronic processes or computer networks
- Engage vendors, independent contractors or additional service providers
- Are subject to regulatory statutes
- Are required to comply with PCI Security Standards/Plastic Card Security statutes
- Are concerned about contingent bodily injury and property damage that may result from cyber incidents
- Rely on or operate critical infrastructure (Personally Identifiable Information risk are less prominent for industries such as utilities, manufacturing and logistics)
- Are concerned about intentional acts by rogue employees
- Are public companies subject to the SEC Cyber Disclosure Guidance of 2011?
While existing forms sometimes carry a level of coverage, they were not intended to cover many risks associated with an increasingly digital world. Typical forms respond as follows:
- General Liability: covers bodily injury and property damage, not economic loss.
- Errors & Omissions: covers economic damages resulting from a failure of defined services only, and may contain exclusions for data and privacy breaches
- Property Insurance: covers tangible property, which data is not. Loss must be caused by a physical peril while perils to data are viruses and hackers.
- Crime: covers employees and generally only money, securities and tangible property. No coverage for third party property such as customer/client data.
With identity theft causing tens of billions of dollars in extra business expenses annually, organizations face an array of direct and indirect costs from data breaches, according to a new white paper from Business Insurance.
Risk managers at all organizations should work to minimize their exposure to cyber risks by “expecting the unexpected” and adopting various strategies, both organizational and technological, according to the white paper by cyber risk and insurance expert Mark Greisiger, president of Philadelphia-based Network Standard Corp., which does business as NetDiligence.
Identity theft affects about 10 million U.S. residents a year and causes an estimated $50 billion in unnecessary business expenses, according to the Federal Trade Commission.
The theft of personal information costs organizations an average of about $710,000 per incident, according to an annual FBI study. And the sources of those extra expenses are numerous, according to the white paper, “Cyber Risks: How to Protect Your Business in the Digital Age.”
Managing a lengthy forensic computer system investigation. Depending on the type of data (personal health information, images, audio files, etc.), the volume of information and other factors, such as centralization of systems, such costs can range from tens of thousands to millions of dollars.
Recovering from damage done to the organization’s reputation and trust by customers or business partners, which is difficult to quantify.
Organizations should develop a layered approach to cyber risk management and this should include practical advice on how risk managers can achieve that goal. Strategies discussed include technological defenses, such as firewalls and encryption, and system management changes, such as effective password-protection policies.
Specialty insurance protection against cyber risks first was offered more than 10 years ago and is becoming more readily available, which is reflected in the directory of cyber insurers with about 20 insurers offering coverage.
Related Links:
http://www.businessinsurance.com/article/20110103/NEWS/110109991
http://www.willis.com/Documents/Publications/General_Publications/Cyber_Risk_White_Paper.pdf
http://www.aon.com/attachments/risk-services/cyber/Aon-Cyber-Risk-Solutions-General.pdf