Cyber Risk Insurance Solutions
Any organization with a database, web presence, e-mail or computer-based confidential records is at risk for cyber theft. Whether from laid-off employees with a grudge or hackers half a world away, the damages of cyber theft, sabotage and ineffective privacy protection can devastate any business.
Risk Realities
Information technology (IT) has rapidly evolved into the high-stakes global playground for online data predators. Companies are vulnerable because standard property and casualty insurance typically does not cover the consequences. Often, IT and privacy losses are stated exclusions.
In 2008, according to a study by Purdue University and McAfee security firm, theft of intellectual property, fraud and damage of corporate networks cost corporations over $1 trillion worldwide.* According to the same report, cyber crime lost the companies participating in the study, on average, $4.6 million of intellectual property in one year.
For financial firms, internet retailers and others whose businesses are data-driven and conducted online, their databanks, computer systems and storehouses of sensitive information are virtual warehouses.
Some standard property and casualty (P&C) insurance policies cover physical damage to data centers (for example, from flood or fire or replace lost hardware). P&C policies usually exclude coverage for data restoration, software installation, privacy losses and lost revenue during recovery. The risks are real and cyber liability demands specialized coverage.
Protection Policies
The fairly new field of cyber coverage goes by the terms Network Security, Information Security, Internet Liability and Privacy Liability. Policies vary widely, but generally address two areas: first-party risks and third-party liability. First-party insurance is coverage for the insured. Third-party insurance provides protection in the event of proven loss by someone other than the insured.
First-party coverage is essential because e-commerce companies and others are legally responsible (liable) for safeguarding personal data, including customer credit card numbers, medical history, credit reports and other sensitive information. Federal regulations and state laws can result in significant penalties if data is mishandled, leaked, inappropriately accessed or if security is breached.
First-party protection usually includes coverage for the following situations:
- Network damage or loss
- Data restoration
- Business interruption
- Notification expenses
- Credit monitoring
- Breach discovery costs
- Intellectual or media property
- Electric theft and extortion
- Crisis management
Third-party cyber coverage usually relates to liability and associated costs. Situations in which the first party allegedly causes damage or loss for the third party might require coverage for:
- Unauthorized action by first-party employees or their subcontractors
- IT system flaws enabling hacker access
- Misleading web content resulting in competitor business loss or higher customer costs
- Negligent handling of confidential information
- Legal defense costs and regulatory penalties
As with all insurance policies, the coverage is in the details. Buyers should work with their broker to add necessary enhancements and avoid unwanted exclusions.
Exposure Categories
Commercial insurance brokers help clients determine what coverage is best for their cyber liability needs. The coverage needs for clients that are technology companies differ from those that are non-tech in nature, but still exposed.
Some experts categorize internet liability into four insurable categories.
- E-business interruption, whether caused by accident or attack, results when there is damage or loss of network function or data. First-party Liability coverage responds to the business losses related to the interruption period and recovery process.
- Media Liability coverage protects the insured against claims against the content of its website. It may include protection against charges of copyright infringement, libel, slander and advertising damage.
- Kidnap and ransom goes cyber when criminals threaten to disable and disrupt online business transactions or disclose a breach in security. Coverage against such scenarios is categorized as Cyber Extortion.
- By far, the most widespread category of liability is Privacy Breach and Network Security. Any organization that collects, stores and transmits information is at risk. If the breach in security affects a third party, a lawsuit may ensue and fines (plus penalties) may be enforced. Response, remediation and restoration of reputation all come with a hefty price-tag. Unauthorized access and cyber attacks are covered by Network Security policies. Privacy Liability policies protect against failure to protect confidential information.
Insurance Carrier Requirements
Businesses applying for cyber coverage will find insurance carriers evaluating them in areas that impact risk. The more business a company conducts online or the higher the volume or sensitivity its database content, the greater the exposure. Insurance carriers will consider the nature of the business, its revenue and number of employees.
An applicant company is more attractive — and subject to better rates — if it has secure technology safeguards and enforced security and privacy policies. A security audit by an independent firm can not only help address areas of weakness before they are discovered by cyber-criminals, but also expedite underwriting.
Recommendations for tightening security include:
- Screening and limiting employees with network access
- Reviewing security protocols
- Checking that backed-up data is complete and safe
- Updating anti-virus software
- Protecting passwords and screensavers
* ABC News Internet Ventures