Cyber Insurance: Considerations for Businesses by Teri Cotton Santos According to the 2016 RIMS Cyber Survey, 80% of respondents had purchased stand-alone cyber insurance policies, up 29% from 2015. There are several drivers for the emergence of cyber insurance and why companies are increasingly looking to obtain it. First, the cost of a cyberbreach is high. Ponemon’s 2016 Cost of Data Breach study reported that, the average cost of a data breach is $4 million, up 29% since 2013, with the average cost per record at $158. Additionally, some organizations are seeking stand-alone coverage due to contractual requirements imposed by business partners. In the RIMS Cyber Survey, 25% of respondents reported that their organizations purchased cyber insurance as a result of contractual obligations, up 17% from 2015. A cyber insurance policy is intended to help organizations mitigate the costs associated with a cyber-related security breach. Cyber coverage was originally intended to address data privacy or data breach issues. As a result, the primary purchasers of this insurance have historically been those organizations that collect significant amounts of financial, health-related or consumer information and therefore have a larger exposure to data breach risks. These include retailers, health care organizations, banks and insurers. However, the range of risk exposures presented by cyber-related events reaches far beyond data privacy and data breach issues and therefore can impact any organization, not just those that collect and store sensitive personal information. For example, cyber extortion—the use malicious software that blocks access to a computer system until a ransom is paid—is a prevalent and formidable risk, according to the FBI. Additionally, the emergence of the internet of things and the reliance upon technology to support critical infrastructure represent a different form of risk exposure for entities such as commercial carriers and utility providers. Finally, all organizations can be subject to business interruption losses or crisis management costs, both of which are typical offerings in cyber insurance policies today. Any organization Copyright © 2017 Risk and Insurance Management Society, Inc. (RIMS). All rights reserved. 1 considering stand-alone cyber coverage should carefully evaluate its risk profile and whether its more traditional policies provide coverage for these risks. Do Traditional Polices Cover for Cyber Events? Organizations that do not purchase stand-alone cyber policies may look to more traditional policies like commercial general liability (CGL), property or crime to provide coverage for cyber-related events. In some instances courts have agreed with the insured. For example, in Travelers v. Portal Healthcare Solutions1, the Fourth Circuit found that the insured’s failure to secure a server, which resulted in the availability of personal health information online, was a “publication” under the personal injury and advertising provision of the insured’s CGL policy. Therefore, the court held that the insurer had a duty to defend the insured. In another case, Apache Corp. v. Great American Insurance Company2, the court found that the insured’s losses were covered under its computer fraud policy after the company wired $2.4 million to a fraudulent account based upon a bogus email. In other cases, courts have found that computer system failures due to physical damage were covered under property policies3. However, coverage under such policies may diminish in the future as insurance companies write cyber risk out of traditional policies. The trigger for cyber coverage is typically loss or a claim arising from either a security failure (due to a break in to the insured’s technology systems) or a privacy event relating to the unauthorized access or loss of personal information. These loss causes are ordinarily not covered by property or general liability policies, which is why companies seek stand-alone coverage. Types of Cyber Coverage First Party Coverage • Network interruption/business interruption • Cyber extortion/ransom • Data loss and restoration • Reputation/crisis management • Theft/fraud • Forensic investigation costs • Regulatory fines • Media liability In 2014, the Insurance Services Office (ISO) introduced an endorsement for CGL policies that excludes data breach liability. Thus, insurers using this endorsement, entitled “ExclusionAccess or Disclosure of Confidential or Personal Information and Data-related Liability with Limited Bodily Injury Exception,” will not cover claims arising from a breach of data that leads to confidential or personal information leaks. Types of Cyber Coverage There is no standard form for cyber insurance and policies are sold under different names including “cyber risk,” “privacy” and “information security.” Currently cyber coverage is available for several first-party and third-party liability coverages. The table above provides a summary of some available coverages. An insured may purchase this coverage modularly, but many carriers also offer coverage packages for the most common perils. First-Party Coverages Network interruption coverage provides cover for the costs of lost business and additional expense due to an interruption in the insured’s network. Most policies require the interruption to last a minimal length before coverage applies. For companies that have a high volume of online sales or whose revenue depends heavily on the availability of the internet, this is a coverage to consider. Some insurers offer data loss and restoration coverage to pay the costs of recovering data as a result of a triggering event. Cyber extortion occurs when hackers deny an insured access to its own network or threaten to disclose the insured’s confidential information unless the insured pays a ransom. This cyber extortion coverage will pay the cost of the ransom demand. For many companies the cost of reputational harm resulting from a data breach can be substantial. Many cyber policies include coverage Third Party Coverage • Privacy liability • Breach notification costs • Credit monitoring • Transmission of viruses or malicious code Another area of large exposure is in those industries where business interruption is of greater concern than breaches of personal information such as utilities, manufacturing and transportation. Finally, industries where the value of the lost information is most critical, such as defense contractors and research labs, are generally excluded from today’s cyber policies. Considerations for Your Business for the cost to retain a crisis management team to help mitigate first-party, reputational harm caused by the event. Additionally, some insurers will recommend crisis management vendors. Forensic investigations coverage includes the cost of forensic examiners to help assess the root cause of the event and improve risk control in the future. Third-Party Liability Coverage Privacy liability coverage covers the insured’s liability for breaches of the private information of third parties such as clients, customers, business partners and employees. Additional costs related to privacy events including breach notification costs and credit monitoring can also be offered in cyber packages. Additional Coverage Needs Growing areas of coverage include cloud coverage and outsourced service provider coverage for the insured. As companies continue to outsource portions of their operations or rely more on software as a service and platform as a service providers, the risk that these providers create for the insured is increasing. While some of this liability can be transferred to the thirdparty provider, the amount of damages due to a security failure could be extreme. Some insurers are offering first-party coverage that protects losses due to business interruption related to outsourced providers. There remain some gaps in cyber coverage that insurers must address. For example, large data aggregators with massive amounts of personally identifiable information present a unique and potentially costly risk and cyber limits have not yet caught up. As more consumer products integrate with technology, the risk of bodily injury from cyber perils is increasing. Insurers need better information to respond to risks related to emerging technology such as the internet of things, driverless cars or wearable medical devices. A company’s assessment of its cyber insurance needs should begin with an assessment of the insured’s sources of risk and perils. A company should also consider whether these perils are covered by other policies or are excluded. For example, a company that handles and or stores significant amounts of third-party personally identifiable information, should consider coverage that includes both security and privacy liability as well as for regulatory action, such as fines. The company should also consider privacy event costs, the cost of forensic investigation, crisis management, privacy notification and credit monitoring. When evaluating cyber coverage, an insured should consider whether the policy covers the acts or omissions of third parties. This is particularly pertinent for companies that rely on outsourced vendors to manage their data. Not all policies are equal in terms of exclusions. The insured should carefully consider language related to shortcomings in the insured’s security, which can be subjective and therefore should be avoided. Additionally some policies exclude acts of terrorism, which may prevent an insured from recovering if an event is triggered by the actions of a hostile nation. Finally, along with cyber insurance, insurers are increasingly offering risk control packages to help insureds reduce their cyber risk. These packages may include employee educational tools, limited legal consultations on security policies, crisis management plans and technical support offered by third-party information security vendors. Teri Cotton Santos is senior vice president, chief compliance and risk officer at The Warranty Group and a member of the RIMS External Affairs Committee. See Travelers Indemnity Company of America v. Portal Healthcare Solutions (E.D. Va. 2014) See Apache Corp. v. Great American Insurance Co. (S.D. Tex Aug. 7, 2015) 3 See American Guarantee & Liability Insurance Co. v. Ingram Micro, Inc., (D. Ariz. April 18, 2000) and Landmark American Insurance Co. v. Gulf Coast Analytical Labs, (M.D. La. Mar 30, 2012) 1 2 Copyright © 2017 Risk and Insurance Management Society, Inc. (RIMS). All rights reserved. 2
© Copyright 2024 Paperzz