Cyber Insurance: Are you Covered?

Networked computing is now firmly embedded in virtually every business process. Providing a secure and trusted platform for conducting transactions and exchanging information is basic to the value proposition of every financial institution.

The platform, however, is only partly based at the institutions’ physical locations. It has expanded to include a distributed computing system that enables e-commerce with customers, suppliers and partners, which, more and more, is standard operating procedure. Physical limitations have been largely removed by the Internet and by the ability of institutions to connect their own electronic platforms to the Internet’s vast public structure, allowing information to flow easily among internal and remote users.

No matter how good your IT security is, your business is at risk for having your information stolen. Google, Facebook, Citibank, and even the federal government have fallen prey to cyber attacks in the past year.

It’s not just the big name companies that are at risk either – more and more small and mid-sized companies are becoming the victims of online data theft and fraud. While large-scale security breaches tend to get more attention from the media, it makes more sense for hackers to go after the “low hanging fruit” of smaller and more vulnerable companies.

The good news about cyber risks is that most data and privacy breaches are preventable. Only 3% of the 1,700 incidents that occurred in 2010 were considered unavoidable. By carefully considering your liabilities and proactively planning for incidents, you can do a great deal to ensure your company isn’t the next cyber victim.

It's hard to shell out big bucks for things that you hope you'll never use. That's why buying insurance of any kind is such a drag. But when it comes to mitigating risks that could wipe out your entire business in a matter of days, many people opt to play it safe. And there's a new risk in town: cyber risk. Not surprising, following close behind is cyber insurance.

Such policies, which have been around for about five years, are designed to protect businesses should they fall victim to hacker attacks or other forms of online mischief or catastrophe. And more businesses are considering such coverage worth the expense. According to the 2006 CSI/FBI Computer Crime and Security Survey, 29 percent of U.S. companies say they have external insurance policies to manage cyber security risks, up from 25 percent in 2005. It's easy to see why. Nearly all companies now rely heavily on electronic information, which puts them at risk of losing business as a result of network downtime or being held liable by customers as a result of stolen personal data. Buffeted by stories of phishing attacks, spybots, and malicious viruses and worms, what responsible business owner wouldn't be interested in turning a variable risk into a fixed cost?

But purchasing a cyber insurance policy is far from a no-brainer. The policies are often confusing and pricey. The main problem: Cyber risk has been frustratingly difficult for insurers to quantify. Because cyber insurance policies are so new, there is a dearth of actuarial data from which to base the premium rates. "The insurance provisions have been drafted pretty narrowly," says Joshua Gold, a partner at Anderson Kill & Olick, a New York City-based law firm that specializes in representing businesses in insurance disputes. Gold, for example, has reviewed policies that claim to guard against "computer security incidents" on the one hand, but then exclude something as basic as a virus from that definition.
Indeed, because there is next to no case law for precedent in technology-related insurance claims, it's not uncommon for policies to come with four or five pages of single-spaced exclusions to the coverage. Says John Pescatore, an analyst at Gartner (NYSE:IT), an IT research firm based in Stamford, Connecticut: "The price of the policies is too close to the cost of an actual event. You may be better off just spending the money to avoid an incident."

Cyber insurance policies also have been difficult to apply for, often demanding that applicants undergo a third-party audit of their security practices. Fortunately, many carriers have streamlined the process and now write policies based on such factors as the size of the company, the amount of data it holds on file, how many people have access to that information, security policies, whether data is encrypted, and whether the company has experienced losses in the past. Premiums are edging downward, too. At the New York-based insurance giant AIG (NYSE:AIG), for example, a typical policy for a small company could cost as little as $1,000 a year in premiums, with a $1,000 deductible and up to $100,000 in coverage. "We've got a good handle on how to evaluate the risks now," says Nancy Callahan, vice president of AIG's identity theft and fraud division.

Before you begin shopping for a cyber policy, dig up your existing business insurance policy and give it a close read. You might find that you're already covered for many cyber-related incidents. It all depends on how your current policy is worded. As cyber risks have grown, insurers have begun to add language to business liability policies that specifically excludes cyber-related liability. So when it comes to existing insurance, an older plan may actually offer better coverage. "Some of the older general liability plans have good broad coverage," says Gold. Say, for example, an identity thief breaks into your system, steals personal information, and sells it on the Internet. A customer may decide to file suit for a violation of privacy, as well as any monetary damages incurred. Under an existing personal injury plan, there's a pretty good chance that your business would be covered. If not, many carriers will allow you to extend an existing errors and omissions or general liability plan to cover some cyber risks.

For now, experts say that companies that deal heavily in electronic information are the best candidates for a separate cyber insurance plan. That is the case with Scott Paly, the CEO of Global DataGuard, and an IT security products and services provider in Dallas. Like many contractors that are required to obtain errors and omissions insurance by their clients, Paly now is often asked by his customers to get cyber coverage, as well. Paly pays more than the average business would for his insurance, about $11,000 a year, because of the nature of his business. But he views the added insurance as a cost of doing business. That's why he set the deductible high, at $25,000. "We have a high deductible," he says, "because I highly doubt we'll ever have a problem with this."

Nonetheless, insurers are marketing their cyber policies aggressively, and most experts agree that as more business is conducted electronically, the policies will become more widely adopted. "Transferring risk is a legitimate business strategy, and over time I think the insurance companies will be able to offer more compelling products," says Robert Richardson, director of the Computer Security Institute, an industry group for information security professionals. "Of course, there are some things you can't cover with insurance, like loss of customer trust or losses that land you in jail."

Assumptions have been made that a traditional Commercial General Liability (CGL) policy will afford your coverage for business interruption, intellectual property damage, and similar losses. Courts even ruled “physical damage” includes computer information related losses. Insurers are avoiding liability by including specific exclusions and requiring endorsements for this coverage.

However, insurance carriers are now becoming savvy in the technology industry. Product offerings are greater. We are seeing a plethora of cyber insurance products. Knowing the ins and outs of each product will be key in proper policy selection.

Cyber liability coverage includes an e-comprehensive policy. This policy will cover losses caused by fraudulent modification, accidental alteration or destruction to all electronically stored information. In addition, losses caused by malicious copying of trade secrets, extortion, and introduction of a virus would be covered.

Media liability addresses the losses associated with libel, slander, and invasion of privacy and infringement of copyrights.
This may be needed, especially if your employees are given access to email capabilities and Internet access. Email is an essential tool of today’s fast-paced business culture. However, messages taken out of context may cause difficulty. Establish an email usage policy and educate employees on the proper use of emails and surfing the net.

Cyber risk has become a leading issue for many organizations as awareness of cloud computing, social media, corporate Bring Your Own Device policies, big data, and state-sponsored espionage has grown and recently been amplified by President Obama's Cybersecurity Executive Order. In an increasingly punitive legal and regulatory environment, and in the face of more frequent contractual insurance requirements specifying cyber liability, forward -thinking companies are taking proactive steps to explore and transfer cyber risk.

Organizations should be concerned about cyber risk if they:

  • Gather, maintain, disseminate or store private information
  • Have a high degree of dependency on electronic processes or computer networks
  • Engage vendors, independent contractors or additional service providers
  • Are subject to regulatory statutes
  • Are required to comply with PCI Security Standards/Plastic Card Security statutes
  • Are concerned about contingent bodily injury and property damage that may result from cyber incidents
  • Rely on or operate critical infrastructure (Personally Identifiable Information risk are less prominent for industries such as utilities, manufacturing and logistics)
  • Are concerned about intentional acts by rogue employees
  • Are public companies subject to the SEC Cyber Disclosure Guidance of 2011?

While existing forms sometimes carry a level of coverage, they were not intended to cover many risks associated with an increasingly digital world. Typical forms respond as follows:

  • General Liability: covers bodily injury and property damage, not economic loss.
  • Errors & Omissions: covers economic damages resulting from a failure of defined services only, and may contain exclusions for data and privacy breaches
  • Property Insurance: covers tangible property, which data is not. Loss must be caused by a physical peril while perils to data are viruses and hackers.
  • Crime: covers employees and generally only money, securities and tangible property. No coverage for third party property such as customer/client data.

With identity theft causing tens of billions of dollars in extra business expenses annually, organizations face an array of direct and indirect costs from data breaches, according to a new white paper from Business Insurance.

Risk managers at all organizations should work to minimize their exposure to cyber risks by “expecting the unexpected” and adopting various strategies, both organizational and technological, according to the white paper by cyber risk and insurance expert Mark Greisiger, president of Philadelphia-based Network Standard Corp., which does business as NetDiligence.
Identity theft affects about 10 million U.S. residents a year and causes an estimated $50 billion in unnecessary business expenses, according to the Federal Trade Commission.

The theft of personal information costs organizations an average of about $710,000 per incident, according to an annual FBI study. And the sources of those extra expenses are numerous, according to the white paper, “Cyber Risks: How to Protect Your Business in the Digital Age.”

Managing a lengthy forensic computer system investigation. Depending on the type of data (personal health information, images, audio files, etc.), the volume of information and other factors, such as centralization of systems, such costs can range from tens of thousands to millions of dollars.

Recovering from damage done to the organization’s reputation and trust by customers or business partners, which is difficult to quantify.

Organizations should develop a layered approach to cyber risk management and this should include practical advice on how risk managers can achieve that goal. Strategies discussed include technological defenses, such as firewalls and encryption, and system management changes, such as effective password-protection policies.

Specialty insurance protection against cyber risks first was offered more than 10 years ago and is becoming more readily available, which is reflected in the directory of cyber insurers with about 20 insurers offering coverage.

Related Links:

http://www.businessinsurance.com/article/20110103/NEWS/110109991

http://www.willis.com/Documents/Publications/General_Publications/Cyber_Risk_White_Paper.pdf

http://www.aon.com/attachments/risk-services/cyber/Aon-Cyber-Risk-Solutions-General.pdf

http://www.kapnick.com/

« New York premiere of Sony film The Interview cancelled
Malaysia Airlines flight MH370 theories: 17 possible explanations that could reveal fate of plane »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

AVR International

AVR International

AVR educate, advise, analyse and provide professional, technical consultancy and support to ensure your business is safe, compliant and protected.

Data Security Council of India (DSCI)

Data Security Council of India (DSCI)

DSCI is a premier industry body on cyber security and data protection in India, committed to making the cyberspace safe, secure and trusted.

World Wide Technology (WWT)

World Wide Technology (WWT)

WWT is a technology solution provider in the areas of big data, collaboration, computing and cloud, mobility, networking, security and storage.

Software Engineering Institute (SEI)

Software Engineering Institute (SEI)

At the CERT Division of SEI we study and solve cybersecurity problems, research security vulnerabilities in software, and develop information and training to help improve cybersecurity.

authUSB

authUSB

authUSB Safe Door is a tool that provides secure access to the content of USB devices that circulate in organizations.

NSO Group

NSO Group

NSO Group develops technology that enables government intelligence and law enforcement agencies to prevent and investigate terrorism and crime.

UNIDIR Cyber Policy Portal

UNIDIR Cyber Policy Portal

The UNIDIR Cyber Policy Portal is an online reference tool that maps the cybersecurity and cybersecurity-related policy landscape.

Euro-Recycling

Euro-Recycling

Euro-Recycling is a leading UK provider of Secure On-Site Data Media Destruction Services.

Splone

Splone

Splone is a Berlin-based IT security research team and consultancy. We help improve IT-security by offering red team assements, penetration tests, audits and customized consulting.

Threat Status

Threat Status

Threat Status are a Threat Intelligence company. We are the developers of Trillion. A cloud based Security As A Service (SaaS) platform.

AwareGO

AwareGO

AwareGO is a global provider of security awareness training content and solutions that help enterprises improve cybersecurity awareness in the workplace.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Psybersafe

Psybersafe

Psybersafe is a hands-on, behaviour-changing training system that keeps your people and your business cyber safe.

TempoCap

TempoCap

TempoCap is a European growth-stage technology fund with offices in London and Berlin. We invest across a variety of high- growth sectors including cybersecurity.

Tracer

Tracer

Tracer (formerly Appdetex) is a next-generation brand protection solution. It constantly finds, analyzes, and stops brand abuse across Web2 and Web3 digital channels.

CBIT Digital Forensics Services (CDFS)

CBIT Digital Forensics Services (CDFS)

CDFS is Australia’s premier supplier of digital forensic tools, industry-embedded training and certification to Law Enforcement, Government, and Corporate Enterprise.