Cyber Insurance: Are you Covered?

Uploaded on 2014-12-29 in BUSINESS-Services-Financial

Networked computing is now firmly embedded in virtually every business process. Providing a secure and trusted platform for conducting transactions and exchanging information is basic to the value proposition of every financial institution.

The platform, however, is only partly based at the institutions’ physical locations. It has expanded to include a distributed computing system that enables e-commerce with customers, suppliers and partners, which, more and more, is standard operating procedure. Physical limitations have been largely removed by the Internet and by the ability of institutions to connect their own electronic platforms to the Internet’s vast public structure, allowing information to flow easily among internal and remote users.

No matter how good your IT security is, your business is at risk for having your information stolen. Google, Facebook, Citibank, and even the federal government have fallen prey to cyber attacks in the past year.

It’s not just the big name companies that are at risk either – more and more small and mid-sized companies are becoming the victims of online data theft and fraud. While large-scale security breaches tend to get more attention from the media, it makes more sense for hackers to go after the “low hanging fruit” of smaller and more vulnerable companies.

The good news about cyber risks is that most data and privacy breaches are preventable. Only 3% of the 1,700 incidents that occurred in 2010 were considered unavoidable. By carefully considering your liabilities and proactively planning for incidents, you can do a great deal to ensure your company isn’t the next cyber victim.

It's hard to shell out big bucks for things that you hope you'll never use. That's why buying insurance of any kind is such a drag. But when it comes to mitigating risks that could wipe out your entire business in a matter of days, many people opt to play it safe. And there's a new risk in town: cyber risk. Not surprising, following close behind is cyber insurance.

Such policies, which have been around for about five years, are designed to protect businesses should they fall victim to hacker attacks or other forms of online mischief or catastrophe. And more businesses are considering such coverage worth the expense. According to the 2006 CSI/FBI Computer Crime and Security Survey, 29 percent of U.S. companies say they have external insurance policies to manage cyber security risks, up from 25 percent in 2005. It's easy to see why. Nearly all companies now rely heavily on electronic information, which puts them at risk of losing business as a result of network downtime or being held liable by customers as a result of stolen personal data. Buffeted by stories of phishing attacks, spybots, and malicious viruses and worms, what responsible business owner wouldn't be interested in turning a variable risk into a fixed cost?

But purchasing a cyber insurance policy is far from a no-brainer. The policies are often confusing and pricey. The main problem: Cyber risk has been frustratingly difficult for insurers to quantify. Because cyber insurance policies are so new, there is a dearth of actuarial data from which to base the premium rates. "The insurance provisions have been drafted pretty narrowly," says Joshua Gold, a partner at Anderson Kill & Olick, a New York City-based law firm that specializes in representing businesses in insurance disputes. Gold, for example, has reviewed policies that claim to guard against "computer security incidents" on the one hand, but then exclude something as basic as a virus from that definition.
Indeed, because there is next to no case law for precedent in technology-related insurance claims, it's not uncommon for policies to come with four or five pages of single-spaced exclusions to the coverage. Says John Pescatore, an analyst at Gartner (NYSE:IT), an IT research firm based in Stamford, Connecticut: "The price of the policies is too close to the cost of an actual event. You may be better off just spending the money to avoid an incident."

Cyber insurance policies also have been difficult to apply for, often demanding that applicants undergo a third-party audit of their security practices. Fortunately, many carriers have streamlined the process and now write policies based on such factors as the size of the company, the amount of data it holds on file, how many people have access to that information, security policies, whether data is encrypted, and whether the company has experienced losses in the past. Premiums are edging downward, too. At the New York-based insurance giant AIG (NYSE:AIG), for example, a typical policy for a small company could cost as little as $1,000 a year in premiums, with a $1,000 deductible and up to $100,000 in coverage. "We've got a good handle on how to evaluate the risks now," says Nancy Callahan, vice president of AIG's identity theft and fraud division.

Before you begin shopping for a cyber policy, dig up your existing business insurance policy and give it a close read. You might find that you're already covered for many cyber-related incidents. It all depends on how your current policy is worded. As cyber risks have grown, insurers have begun to add language to business liability policies that specifically excludes cyber-related liability. So when it comes to existing insurance, an older plan may actually offer better coverage. "Some of the older general liability plans have good broad coverage," says Gold. Say, for example, an identity thief breaks into your system, steals personal information, and sells it on the Internet. A customer may decide to file suit for a violation of privacy, as well as any monetary damages incurred. Under an existing personal injury plan, there's a pretty good chance that your business would be covered. If not, many carriers will allow you to extend an existing errors and omissions or general liability plan to cover some cyber risks.

For now, experts say that companies that deal heavily in electronic information are the best candidates for a separate cyber insurance plan. That is the case with Scott Paly, the CEO of Global DataGuard, and an IT security products and services provider in Dallas. Like many contractors that are required to obtain errors and omissions insurance by their clients, Paly now is often asked by his customers to get cyber coverage, as well. Paly pays more than the average business would for his insurance, about $11,000 a year, because of the nature of his business. But he views the added insurance as a cost of doing business. That's why he set the deductible high, at $25,000. "We have a high deductible," he says, "because I highly doubt we'll ever have a problem with this."

Nonetheless, insurers are marketing their cyber policies aggressively, and most experts agree that as more business is conducted electronically, the policies will become more widely adopted. "Transferring risk is a legitimate business strategy, and over time I think the insurance companies will be able to offer more compelling products," says Robert Richardson, director of the Computer Security Institute, an industry group for information security professionals. "Of course, there are some things you can't cover with insurance, like loss of customer trust or losses that land you in jail."

Assumptions have been made that a traditional Commercial General Liability (CGL) policy will afford your coverage for business interruption, intellectual property damage, and similar losses. Courts even ruled “physical damage” includes computer information related losses. Insurers are avoiding liability by including specific exclusions and requiring endorsements for this coverage.

However, insurance carriers are now becoming savvy in the technology industry. Product offerings are greater. We are seeing a plethora of cyber insurance products. Knowing the ins and outs of each product will be key in proper policy selection.

Cyber liability coverage includes an e-comprehensive policy. This policy will cover losses caused by fraudulent modification, accidental alteration or destruction to all electronically stored information. In addition, losses caused by malicious copying of trade secrets, extortion, and introduction of a virus would be covered.

Media liability addresses the losses associated with libel, slander, and invasion of privacy and infringement of copyrights.
This may be needed, especially if your employees are given access to email capabilities and Internet access. Email is an essential tool of today’s fast-paced business culture. However, messages taken out of context may cause difficulty. Establish an email usage policy and educate employees on the proper use of emails and surfing the net.

Cyber risk has become a leading issue for many organizations as awareness of cloud computing, social media, corporate Bring Your Own Device policies, big data, and state-sponsored espionage has grown and recently been amplified by President Obama's Cybersecurity Executive Order. In an increasingly punitive legal and regulatory environment, and in the face of more frequent contractual insurance requirements specifying cyber liability, forward -thinking companies are taking proactive steps to explore and transfer cyber risk.

Organizations should be concerned about cyber risk if they:

  • Gather, maintain, disseminate or store private information
  • Have a high degree of dependency on electronic processes or computer networks
  • Engage vendors, independent contractors or additional service providers
  • Are subject to regulatory statutes
  • Are required to comply with PCI Security Standards/Plastic Card Security statutes
  • Are concerned about contingent bodily injury and property damage that may result from cyber incidents
  • Rely on or operate critical infrastructure (Personally Identifiable Information risk are less prominent for industries such as utilities, manufacturing and logistics)
  • Are concerned about intentional acts by rogue employees
  • Are public companies subject to the SEC Cyber Disclosure Guidance of 2011?

While existing forms sometimes carry a level of coverage, they were not intended to cover many risks associated with an increasingly digital world. Typical forms respond as follows:

  • General Liability: covers bodily injury and property damage, not economic loss.
  • Errors & Omissions: covers economic damages resulting from a failure of defined services only, and may contain exclusions for data and privacy breaches
  • Property Insurance: covers tangible property, which data is not. Loss must be caused by a physical peril while perils to data are viruses and hackers.
  • Crime: covers employees and generally only money, securities and tangible property. No coverage for third party property such as customer/client data.

With identity theft causing tens of billions of dollars in extra business expenses annually, organizations face an array of direct and indirect costs from data breaches, according to a new white paper from Business Insurance.

Risk managers at all organizations should work to minimize their exposure to cyber risks by “expecting the unexpected” and adopting various strategies, both organizational and technological, according to the white paper by cyber risk and insurance expert Mark Greisiger, president of Philadelphia-based Network Standard Corp., which does business as NetDiligence.
Identity theft affects about 10 million U.S. residents a year and causes an estimated $50 billion in unnecessary business expenses, according to the Federal Trade Commission.

The theft of personal information costs organizations an average of about $710,000 per incident, according to an annual FBI study. And the sources of those extra expenses are numerous, according to the white paper, “Cyber Risks: How to Protect Your Business in the Digital Age.”

Managing a lengthy forensic computer system investigation. Depending on the type of data (personal health information, images, audio files, etc.), the volume of information and other factors, such as centralization of systems, such costs can range from tens of thousands to millions of dollars.

Recovering from damage done to the organization’s reputation and trust by customers or business partners, which is difficult to quantify.

Organizations should develop a layered approach to cyber risk management and this should include practical advice on how risk managers can achieve that goal. Strategies discussed include technological defenses, such as firewalls and encryption, and system management changes, such as effective password-protection policies.

Specialty insurance protection against cyber risks first was offered more than 10 years ago and is becoming more readily available, which is reflected in the directory of cyber insurers with about 20 insurers offering coverage.

Related Links:

http://www.businessinsurance.com/article/20110103/NEWS/110109991

http://www.willis.com/Documents/Publications/General_Publications/Cyber_Risk_White_Paper.pdf

http://www.aon.com/attachments/risk-services/cyber/Aon-Cyber-Risk-Solutions-General.pdf

http://www.kapnick.com/

« New York premiere of Sony film The Interview cancelled
Malaysia Airlines flight MH370 theories: 17 possible explanations that could reveal fate of plane »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

National Defence Radio Establishment (FRA) - Sweden

National Defence Radio Establishment (FRA) - Sweden

The National Defence Radio Establishment (Försvarets Radioanstalt), is the Swedish national authority for Signals Intelligence, also providing Information assurance services to government authorities.

Ezenta

Ezenta

Ezenta is a Danish IT security consulting firm.

Norwegian Information Security laboratory (NISlab)

Norwegian Information Security laboratory (NISlab)

NISlab conducts international competitive research in information and cyber security and operates study programs in this area.

Logsign

Logsign

Logsign is a Security Orchestration, Automation and Response (SOAR) platform with next-gen Security Information and Event Management (SIEM) solution.

DataArt

DataArt

DataArt is a global technology consultancy that designs, develops and supports unique software solutions. Areas of activity include software security testing.

Codeproof Technologies

Codeproof Technologies

The Codeproof enterprise mobility solution empowers your business to secure, deploy and manage mobile applications and data on smartphones, tablets, IoT devices and more.

RapidScale

RapidScale

RapidScale’s managed cloud solutions provide reliable, innovative, and secure services, all complete with white-glove service and full management options.

InterGuard

InterGuard

As the pioneer for Unified Insider Threat Prevention and productivity monitoring tools, InterGuard offers on premise and SaaS-based services that are easily available and affordable.

US Marine Corps Forces Cyberspace Command (MARFORCYBER)

US Marine Corps Forces Cyberspace Command (MARFORCYBER)

US Marine Corps Forces Cyberspace Command (MARFORCYBER) conducts full spectrum military cyberspace operations in order to enable freedom of action in cyberspace and deny the same to the adversary.

BlockAPT

BlockAPT

BlockAPT, empowering you with an advanced, intelligent cyber defence platform. We protect our customers digital assets by unifying operational technologies against advanced persistent threats.

Surefire Cyber

Surefire Cyber

Surefire Cyber delivers swift, strong response to cyber incidents such as ransomware, email compromise, malware, data theft, and other threats with end-to-end response capabilities.

PyNet Labs

PyNet Labs

PyNet Labs is a Training Company serving corporates as well as individuals across the world with ever-changing IT and technology training.

Hexiosec

Hexiosec

Hexiosec (formerly Red Maple Technologies) is a technical consultancy and product company founded and run by engineers from the UK Intelligence and Defence communities.

Centric Consulting

Centric Consulting

Centric Consulting is an international management consulting firm with unmatched expertise in business transformation, AI strategy, cyber risk management, technology implementation and adoption. 

Mercury Systems

Mercury Systems

Mercury Systems is the leader in making trusted, secure mission-critical technologies profoundly more accessible to aerospace and defense.

Nordic Defender

Nordic Defender

Nordic Defender is the first crowd-powered modern cybersecurity solution provider in the Nordic region.