Back in June 2014, months before the latest Sony Hack, Canadian Underwriter Magazine said:
“Cyber insurance coverage is entering the next phase (…) from optional add-on product to increasingly important component of a thorough risk management program.
As high-profile data security breaches grab top headlines, more organizations are having the “cyber talk” with their brokers and insurance partners.”
Sounds about right.
I have spoken to more business owners about cyber insurance in the past four months than I did during the past four years combined.
In an effort to help create awareness about cyber risks, here are 6 things you should keep in mind:
1. Every business has cyber and privacy loss exposures
Most people I talk to associate cyber risks with technology firms or large corporations, but the fact is: if you have customers and use computers, you are a target.
And talking about ‘target’, one of the best examples that shows that all types of business are exposed to cyber risks is the 2013 Target hack.
Did you hear about how it started?
According to various sources (including this article on CIO.com), the attackers first hacked the systems of Target’s Heating and Air-Conditioning vendor!!
With the HVAC vendor’s credentials, then hackers gained access to Target’s hosted web services dedicated to vendors.
Before this became known, how many HVAC contractors do you think were buying “cyber-liability” insurance?
2. Cyber risks come in many flavors
The threats to network systems, privacy and information come in many flavours, including cyber-attacks (such as the Sony Hack), malicious acts by disgruntled employees and lost or stolen memory sticks, cell phones, paper files – yes, paper files – and laptops.
Actually, according to NetDiligence 2013 Cyber Liability & Data Breach Insurance Claims report, lost or stolen laptops and devices were the most frequent cause of loss, at 20.7% of the total, followed by hackers at 18.6%.
Other threats include human errors (employees or contractors doing dumb things) and, of course, systems errors (software glitches, cloud computing problems).
3. Traditional commercial insurance does not provide adequate coverage – if any – against cyber risks
If you’re thinking “I’m fine. I have business insurance”, just remember that a General Liability insurance policy (which is the most common type of insurance businesses carry), would NOT protect you against cyber risks. That’s because General Liability and umbrella liability are there to protect you mainly against claims of property damage and bodily injury.
Other types of insurance, such as “commercial property” and “commercial crime” don’t protect against cyber risks. Besides, they offer no third-party coverage and very limited first party coverage (for example: the definition of property does not include intangible property, such as “data”).
On the other hand, policies such as professional liability (errors and omissions) offer negligence-based coverage, with first-party coverage (your own losses) not contemplated.
To protect your business against cyber risks you need specialized coverage added to your existing commercial insurance package or a separate cyber-risk insurance policy.
4. The first step is to identify your potential risks
Ask yourself, “How prepared is my business to deal with the following?”
- Identity theft resulting from lost or stolen Social Insurance Numbers or credit cards, driver license, or financial information
- Hacker attack resulting in theft of personally identifiable information, protected health information or other confidential information
- A lawsuit stemming from a security failure or alleged technology error or omission that results in damages to customers
- A lawsuit alleging trademark or copyright infringement
- A lawsuit alleging invasion of privacy, defamation, or product disparagement involving information residing in email, on laptops, cellphones, flash drives, on servers or on the Internet
- A regulatory proceeding seeking fines or penalties as a result of actual or potential unauthorized access to private information
- An e-business interruption resulting from a security failure or Internet virus
- A cyber extortion threat
- Costs related to privacy notification, crisis management, and disaster recovery
The costs of data security breaches can be significant. According to the Ponemon Institute:
• The average cost of a data breach to an organization in 2012 was $5.4 million. 1
• The average cost per compromised record in 2012 was $188 ($66 of this amount relates to direct costs associated with forensics, notification, credit monitoring and public relations).1
• Cyber-attacks can get costly if they are not resolved quickly – there is a positive relationship between the time taken to contain an attack and organizational cost.2
1 2013Cost of Data Breach Study: Global Analysis, Ponemon Institute.
2 2012Cost of Cyber Crime Study, Ponemon Institute
5. You can transfer the risk
Cyber-risk insurance (insurance for data security breaches and privacy liability) can include, amongst others, the following coverages…
Third-party cyber liability coverage for claims…
- Alleging unauthorized access to or dissemination of private information (Disclosure injury).
- Arising from copyright and trademark infringement (Content injury).
- Alleging disparagement of products or services, defamation, and invasion of privacy (Reputation injury).
- Arising from system security failures that result in harm to third-party systems (Conduit injury).
- Arising from system security failure resulting in your systems being unavailable to your customers (Impaired-access injury).
First-party (that’s you) cyber-crime expense for…
- Privacy notification expenses, even if the notification is voluntary on your (the insured’s) part (as opposed to notification required by law).
- Crisis management and reward expenses including the cost of forensic and public relations consultants.
- E-business interruption, including first-dollar extra expense.
- E-threat including the cost of a professional negotiator and ransom payment.
- E-vandalism expenses (some policies cover ever when the vandalism is caused by an employee).
# 6: Remember: Insurance (on its own) is not risk management
Your focus should be on loss prevention, which starts by giving the issue of cyber-security and cyber-liability the importance it deserves.
Some insurers, such as Chubb, offer resources to their clients, including an Incident Response Plan template and more tools to help your business mitigate its risk of a data breach or privacy loss and assist in responding quickly when one occurs.
Remember that insurance is just one of the components of a good risk management plan, and while it is an effective way to transfer your risk of financial loss to someone else (an insurance company), it might not be able to help you fix a bad reputation or regain lost trust from customers.
Eddie is a Risk Management and Insurance advisor specializing in Business Insurance for Technology Companies.