Back in June 2014, months before the latest Sony Hack, Canadian Underwriter Magazine said:
“Cyber insurance coverage is entering the next phase (…) from optional add-on product to increasingly important component of a thorough risk management program.
As high-profile data security breaches grab top headlines, more organizations are having the “cyber talk” with their brokers and insurance partners.”
Sounds about right.
I have spoken to more business owners about cyber insurance in the past four months than I did during the past four years combined.
In an effort to help create awareness about cyber risks, here are 6 things you should keep in mind:
1. Every business has cyber and privacy loss exposures
Most people I talk to associate cyber risks with technology firms or large corporations, but the fact is: if you have customers and use computers, you are a target.
And talking about ‘target’, one of the best examples that shows that all types of business are exposed to cyber risks is the 2013 Target hack.
Did you hear about how it started?
According to various sources (including this article on CIO.com), the attackers first hacked the systems of Target’s Heating and Air-Conditioning vendor!!
With the HVAC vendor’s credentials, then hackers gained access to Target’s hosted web services dedicated to vendors.
Before this became known, how many HVAC contractors do you think were buying “cyber-liability” insurance?
2. Cyber risks come in many flavors
The threats to network systems, privacy and information come in many flavours, including cyber-attacks (such as the Sony Hack), malicious acts by disgruntled employees and lost or stolen memory sticks, cell phones, paper files – yes, paper files – and laptops.
Lost or stolen laptops and devices: a TOP cyber risk.
Other threats include human errors (employees or contractors doing dumb things) and, of course, systems errors (software glitches, cloud computing problems).
3. Traditional commercial insurance does not provide adequate coverage – if any – against cyber risks
If you’re thinking “I’m fine. I have business insurance”, just remember that a General Liability insurance policy (which is the most common type of insurance businesses carry), would NOT protect you against cyber risks. That’s because General Liability and umbrella liability are there to protect you mainly against claims of property damage and bodily injury.
Other types of insurance, such as “commercial property” and “commercial crime” don’t protect against cyber risks. Besides, they offer no third-party coverage and very limited first party coverage (for example: the definition of property does not include intangible property, such as “data”).
On the other hand, policies such as professional liability (errors and omissions) offer negligence-based coverage, with first-party coverage (your own losses) not contemplated.
To protect your business against cyber risks you need specialized coverage added to your existing commercial insurance package or a separate cyber-risk insurance policy.
4. The first step is to identify your potential risks
Ask yourself, “How prepared is my business to deal with the following?”
Identity theft resulting from lost or stolen Social Insurance Numbers or credit cards, driver license, or financial information
Hacker attack resulting in theft of personally identifiable information, protected health information or other confidential information
A lawsuit stemming from a security failure or alleged technology error or omission that results in damages to customers
A lawsuit alleging trademark or copyright infringement
A lawsuit alleging invasion of privacy, defamation, or product disparagement involving information residing in email, on laptops, cellphones, flash drives, on servers or on the Internet
A regulatory proceeding seeking fines or penalties as a result of actual or potential unauthorized access to private information
An e-business interruption resulting from a security failure or Internet virus
Costs related to privacy notification, crisis management, and disaster recovery
The costs of data security breaches can be significant. According to the Ponemon Institute:
• The average cost of a data breach to an organization in 2012 was $5.4 million. 1
• The average cost per compromised record in 2012 was $188 ($66 of this amount relates to direct costs associated with forensics, notification, credit monitoring and public relations).1
• Cyber-attacks can get costly if they are not resolved quickly – there is a positive relationship between the time taken to contain an attack and organizational cost.2
1 2013Cost of Data Breach Study: Global Analysis, Ponemon Institute.
2 2012Cost of Cyber Crime Study, Ponemon Institute
5. You can transfer the risk
Cyber-risk insurance (insurance for data security breaches and privacy liability) can include, amongst others, the following coverages…
Third-party cyber liability coverage for claims…
Alleging unauthorized access to or dissemination of private information (Disclosure injury).
Arising from copyright and trademark infringement (Content injury).
Alleging disparagement of products or services, defamation, and invasion of privacy (Reputation injury).
Arising from system security failures that result in harm to third-party systems (Conduit injury).
Arising from system security failure resulting in your systems being unavailable to your customers (Impaired-access injury).
First-party (that’s you) cyber-crime expense for…
Privacy notification expenses, even if the notification is voluntary on your (the insured’s) part (as opposed to notification required by law).
Crisis management and reward expenses including the cost of forensic and public relations consultants.
E-business interruption, including first-dollar extra expense.
E-threat including the cost of a professional negotiator and ransom payment.
E-vandalism expenses (some policies cover ever when the vandalism is caused by an employee).
# 6: Remember: Insurance (on its own) is not risk management
Your focus should be on loss prevention, which starts by giving the issue of cyber-security and cyber-liability the importance it deserves.
Some insurers, such as Chubb, offer resources to their clients, including an Incident Response Plan template and more tools to help your business mitigate its risk of a data breach or privacy loss and assist in responding quickly when one occurs.
Remember that insurance is just one of the components of a good risk management plan, and while it is an effective way to transfer your risk of financial loss to someone else (an insurance company), it might not be able to help you fix a bad reputation or regain lost trust from customers.
Did you know that there are 2 words that can save you money … but could leave you without insurance coverage later on?
Those two words are: “and reported”
That’s right. The seemingly small difference of having the words “and reported” appear in your Professional Liability insurance policy can have a huge impact on your business when it really matters: at the time of a claim.
We’ll talk about why this is a big deal in a moment.
But first, let’s briefly discuss:
“Occurrence” policies VS. “Claims-Made” policies
Some policies (such as your home and auto insurance policies) are “occurrence” policies.
In other words, the coverage provided by your home and auto insurance policies is triggered by the date of the event that causes the claim (the ‘event’ could be an automobile accident, a fire, theft, etc.).
However, most professional liability insurance policies – such as your Technology Errors and Omissions policy – are “claims-made” policies.
In a claims-made policy, coverage is triggered by the date you (the insured) first become aware of the possibility of a claim … which is usually when your client presents you with “an oral or written demand for monetary or non-monetary damages, including any judicial or administrative proceeding”.
Here’s where it gets interesting:
There are 2 types of claims-made insurance policies:
– The “claims-made” policy (aka “the pure claims-made policy”)
– The “claims-made AND reported” policy
The latter is the most commonly used and offered. It’s also LESS expensive …. but … keep reading …
What’s the difference?
A CLAIMS-MADE policy:
applies to claims that are made (to you, by your client) during the policy term ….. regardless of when the claim is reported to the insurance company.
You only need to report the claim to your insurance company “as soon as practicable” … and not necessarily during the policy term.
On the other hand, a CLAIMS-MADE AND REPORTED policy:
applies to claims made (to you, by your client) and reported to the insurance company during the policy term (or a short grace period after the policy term).
What’s the big deal?
Do you take an active role in resolving or settling client disputes? Would you try to work things out with a client before reporting a potential or actual claim to your insurance company?
Understandably, businesses will try to satisfy their clients, and will do all that’s possible to resolve issues before resorting to legal defense and/or making insurance claims.
Sometimes that works.
Unfortunately, in many cases the only outcome from all the “back-and-forth” interactions with clients is delays in the reporting of the claim to the insurance company.
Those delays are dangerous.
If you have a “claims-made and reported” policy – and you become aware of a possible claim – you must report it to your insurance company BEFORE the current term expires.
Notice that I said: “before the currentterm expires”.
But what if you renew the policy with the same insurance company? Doesn’t doing so extend the ‘reporting period’ into the next term?
If you have a “claims-made and reported” policy – and you become aware of a possible claim – simply renewing your policy with the same insurance company does not eliminate the need to report the claim within the policy term.
In a study conducted by Chubb Insurance, they found that for 420 information and network technology Errors & Omissions claims that were reported to Chubb after the policy term had expired, the average delay in reporting the claim was 483 days …. after the expiration of the policy!
Under a “claims-made and reported” policy there would have been NO coverage for those claims.
It is obvious that the pure claims-made policy offers better protection, usually at higher premium. But not all technology businesses need it, which is why you may need to take some time to think through your claims-handling process and perhaps avoid paying too much for a coverage trigger that you don’t need.
What type of Professional Liability policy do you have: “claims-made” or “claims-made and reported”?
If you’re not 100% sure, contact your broker right away to find out, and ensure you understand when and how claims need to be reported
Why is this topic important?
Because the most commonly offered, most commonly used (and sometimes the only kind available to you) is the “claims-made and reported” type of policy.
For that reason, please, check to see what type of Professional Liability policy you have, and ensure you understand when and how claims need to be reported.
The few minutes you invest understanding this now, could save you thousands, or even millions, in the future.
It’s a fact: as you attempt to achieve your company’s goals, you will naturally take a number of risks that may bring about accidental losses to your property, to your income, through liability to others, etc.
Perish the thought!
The harsh reality is that, unless you are properly prepared to prevent these losses – and to “transfer” them to an insurance company when they do happen – the consequences could completely destroy or cripple your business. That’s why we prefer to call “risk exposures” and their potential consequences:
Calling them “The Monsters” helps us remember that these are not simply words you find on some “risk assessment report” that lies forgotten on your company’s intranet.
So, with the goal of helping you become aware of some of the monsters you need be on the look out for, let’s take a look at 8 loss scenarios specific to technology companies.
By the way, if you’re thinking “I’m fine. I have business insurance”, just remember that a General Liability insurance policy (which is the most common type of insurance a business would carry), would NOT protect you in the scenarios listed below. That’s because General Liability is there to protect you primarily against claims of property damage and bodily injury .
Tip: As you read each example below, ask yourself: Could this particular Monster attack my business? What are we doing (other than insurance) to mitigate the consequences of this Monster’s attack? Do we have the proper insurance protection for this scenario?
OK, here we go:
Errors and Omissions in general:
The first monster that IT companies and IT professionals must be aware of is the infamous “E & O” monster.
‘E & O” stands for Errors and Omissions, aka Professional Liability …. or, as it is known in other fields, “Malpractice liability”.
It’s usually your clients who will wake up the “E & O” Monster and send it out to get you, when they feel that the financial loss they’ve just suffered was caused by:
– your company’s ERROR (something you did wrong) or….
– an OMISSION (something you, a as professional, should have done, but didn’t).
The “E & O” Monster also visits you when, for example, your client claims that your product failed to perform as expected.
What really sucks is that you can be sued, even if you didn’t make a mistake!
For example, let’s say you design a new invoicing system for a client and the client alleges the final system lacks the functionality they wanted. This happens, even though you delivered what you thought was required. If your client sues you (and you have the right insurance coverage) your insurance company will defend you, which protects you from having to pay the potentially huge ‘defense costs’.
Monster # 2: Where’s My Data? *
How did “corrupted data” create a $900,000.00 loss for a software vendor?
A communications company sues for lost revenue and expenses to recover billing files for wireless customers.
The billing files were deleted by their software vendor while updating the system.
Monster # 3: Software Fails to Maintain Employee Hours *
A company provides timekeeping hardware and software to its customer.
The software doesn’t function correctly; it fails to maintain employee hours worked and correctly apply the hourly and overtime rate of pay.
The failure results in over/underpaying employees and the need to replace the timekeeping clocks. The customer sues the provider of the hardware and software.
Indemnity Paid: $440,000
Monster # 4: Missed deadlines cause a breach of contract *
It’s was time for a company-wide upgrade, and a firm decided to outsource to an information technology and management services company all the replacement of hardware, software and infrastructure as well as telecommunications and related services in order to upgrade its ability to serve customers and address any problems.
The information technology and management services firm fails to meet deadlines due to a high turnover of staff and a breakdown of project management.
A telecommunications firm is sued by customers claiming they were sold a defective system with inadequate security protections.
The customers claim the faulty system allowed individuals to access their phone system and, as a result, they incurred fraudulent overseas charges.
Indemnity Paid: $345,000
Before we move on, here a couple of interesting facts about data breach losses:
Based on a sample of 900 breaches reported to insurance companies 86% of the data breaches were discovered by third-parties (not by the companies whose systems had been breached), and 96% were avoidable with simple precautions.
Monster # 6: Defending software that performed as promised*
How about getting sued when you have not done anything wrong and your product performs as expected?
A software company was sued by a customer after he used the company’s cost estimating software.
The software itself was found to have functioned perfectly. The error was on the part of the user who later underbid a work project. The customer eventually dropped the case, butonly after considerable legal expenses were incurred by the software company.
Indemnity Paid: $0 / Defense Costs Paid: $175,000
Monster # 7: Inability to deliver on marketing “promises” *
A personal computer assembler is sued by a group of consumers in a class action suit.
The suit alleges that the company’s equipment did not live up to advertised specifications. Citing issues such as lack of speed and poor upgrade capability, the consumers demand full refunds.
Indemnity Paid: $1,600,000
Monster # 8: Web design and integration services * *
Our policyholder was hired to create an e-commerce website for
trading and selling valuable collectibles. The client later alleged that our policyholder failed to deliver a working website and negligently recommended that the client purchase Web-enabling software from another company that then abandoned the project and the software.
I’ve limited this article to the brief explanation about Errors and Omissions and the other 7 loss scenarios because I know that most people won’t be naturally inclined to reading about insurance.
But when you think about it, being able to learn about real-life examples of what could happen to your business (without actually experiencing it) is a very simple way to identify potential risks ….. and that, my friend, is precisely step #1 to implementing a good risk management plan.
Insurance can help you when/if bad stuff happens. But there’s tons of stuff you can do, aside from purchasing insurance, to protect your business.
Let’s be honest: Even if you have a good understanding of what insurance does for you or for your business, deep inside, we all believe that peace of mind should be free, and that we shouldn’t have to pay a “premium” to enjoy it.
In reality, though, we all know that our modern society would not be able to function without the safety net provided by insurance.
As you attempt to achieve your company’s goals you will naturally take a number of risks that may bring about accidental losses (to your property, your income, through liability to others, etc.).
While some losses you may be able to absorb (pay for) yourself, in many cases you will want to ‘transfer the risk’ and costs associated with those loses to someone else: an insurance company.
Click here to see some some scenarios where you would be happy that the risk was transferred to an insurance company, and that the loss did not directly impact your company’s ability to survive and grow.
By the way, risk management is not merely about insurance.
Insurance is simply one of many ‘risk management techniques’ you’ll need to implement in order to achieve your growth and profitability goals.
Still, a day doesn’t go by without someone telling me that they really don’t enjoy – OK, they hate – paying for something they can’t see or touch, and hope they never have to use.
So, what could possibly be worse than paying for insurance?
Paying for it month after month, year after year … believing that “you’re covered”, only to find out – when the unexpected happens – that you are NOT.
How do you prevent that from happening to you?
Here’s the most important message I want to share with you in this article: Traditional ‘business insurance’ and traditional “Commercial General Liability” (CGL) policies are not sufficient to protect technology businesses against what I call “The Monsters” (risks).
In fact, as an IT consultant, software developer, game developer, web designer, owner/executive in charge of a data centre or other type of tech business you face risks that are usually excludedfrom coverage in regular business insurance policies.
Regardless of how mysterious, complex, or boring you find insurance, you must make sure that your policy provides coverage for the types of risks your technology business is exposed to.
Some of the coverages that you may need include:
Technology-Specific Errors & Omissions
Copyright or Trademark Infringement Liability Protection
Property – Including, as needed, EDP Property and R & D Property
Network and Information Security Liability
Reputation Injury and Communication Liability
Commercial General Liability
Equipment breakdown coverage
Media Liability Protection
Also, ask your broker to show you that the policy definitions of “business activities” actually match what your business does, and if not, ask if the policy allows for inclusion of your own definitions.
It’s true that properly insuring an IT business can be tricky. Our industry has product managers at insurance companies struggling to figure out ways of covering you from “social-media risks” and other Monsters that didn’t exist a few years ago.
The good news is leading insurance companies are finally paying attention. They’ve developed quality insurance products designed specifically to protect tech companies.
By the way, I know that some smaller tech firms try to get by without proper “risk transfer” (insurance) plans.
If you know anyone operating without an insurance safety net, please remind them that one of the truly sad realities of today’s business world is that you can be sued … even when you didn’t do anything wrong … and even after your software or service performed as expected.
Sure, you might win the lawsuit … after trading a big chunk of your hard-earned money for legal defense fees.
In fact, legal costs generally represent a large portion of the overall Professional Liability claims cost. That’s due to the need for expert (read: more expensive) witnesses and lawyers.
Bottom line – given the complexities of a technical business it makes sense to seek out well-designed, technology-specific insurance coverage from insurance companies – and brokers – who specialize in technology.
That is the first step in eliminating any looming doubts about whether or not you are covered.