Insurance products respond to increase in cyber risks

In today’s world, information is exchanged instantly. The Internet has become a primary channel over which people communicate and conduct business. This evolution brings with it new opportunities and rewards, as well as risks and liabilities.

By David Turner

Network security has become a critical risk concern for businesses as revenues generated through online channels have grown as a percentage of total revenue and strategic outsourcing partnerships are forged. Where traditionally corporate risk officers have been charged with protecting the tangible assets of the company, their job becomes more complicated when this oversight extends to risks like intellectual property and brand reputation.

Cyber-liability exposures and data breaches, especially those that involve the integrity of personal information, create the potential for putting a company’s reputation at risk. In the past 12 months, governments, financial institutions and health-care providers alike have all been exposed to data breaches resulting in significant settlements and reserves; not to mention the resulting panic from major stakeholders — specifically, customers. After a system is breached, news about the incident can quickly spread across the globe. It can take months to repair the damage arising from losses that stem from just seconds of disruption. Any business that collects and stores its customers’ personal information exposes itself to additional risks. Not-for-profits, educational institutions and retailers are also at higher risk as the standard of care imposed on companies by regulators is now more strict. Data is also more sensitive, as it’s shared across multiple networks and portable.

One also must consider the risks that exist inside an organization. A data breach is not limited to a network failure, but to any compromise of the security, confidentiality or integrity of personal information. Employees have access to sensitive information on a daily basis and through fairly simple means, such as a universal serial bus (USB) memory stick, that can easily download customer or patient data or compromise company trade secrets. Given the breadth of these databases and the prices paid on the black market for personal information, this can be a tempting source of supplementary income for line employees. With employees becoming more mobile in today’s business environment, a single laptop can be a window into accessing thousands of customer records. The costs per record might be in the hundreds of dollars once charges for investigation, record recreation and customer notification are tallied.

Companies face many types of costs, both tangible and intangible, resulting from a security breach or privacy incident. These costs include:

• loss of customers — current and future, income and reputation
• share price drop
• public relations costs
• notification expenses
• legal expenses
• fines and penalties
• judgments and settlements
• internal and external IT costs to repair system.

Managing the risk

Since risk avoidance is not a viable option for many companies, there are steps that can be taken to further mitigate liability risks from data breaches. These steps include:

Legal/network audit — Review existing protocols against regulatory laws for the collection, storing and disclosure of personal information, and ensure that protocols extend to any third party service providers charged with assuming responsibility of critical piece(s) of the corporate network infrastructure.

Disaster recovery planning and business continuity plan — Regularly complete and test corporate wide.

Establish mobile device protocols — Corporate information is readily available from laptops and Blackberries and other mobile devices. Consider implementing encryption software and establishing password protection protocols for employees.

Employee training — Educate staff about the risks and importance of adhering to corporate information protection policies.

Data classification standards — Establish protocols for access to highly-sensitive information.

Insurance — As with all risks, loss control measures are often insufficient. Consider an insurance solution to provide coverage for data breaches and privacy liability. 

The insurance market response

Insurers of traditional policies recognize the specialized nature and scope of cyber risks but often do not have the resources to underwrite them. Some of the difficulties with the wording on standard policies that are inadequate for insuring cyber risks include:

• Exclusions and definitions in policies that limit or fully exclude network related losses
• Definition of property excludes electronic data
• Business interruption/extra expense is only triggered if the direct loss is insured
• Property direct losses were designed for physical assets and physical perils not information assets and electronic risks.

Insurance companies are increasingly addressing these issues by providing specifically designed coverage, while at the same time standard forms are clarifying intent with data and cyber risks exclusions in both property and liability forms. The reinsurance market implemented the virus exclusion in 2001. Realignment of the insurance industry around emerging risks has been going on for years, resulting in the development and prevalence of specialty products in the market, such as equipment breakdown and environmental policies. Therefore, it is no surprise to see the same reaction to privacy and network security risk.

The market has been addressing cyber risks in a focused way for the past decade, yet only in recent years has it focused on privacy liability arising from both network and non-network related losses. Some insurers have taken this further and offer coverage for breaches of personal information for any reason. Historically, securing insurance was an onerous, time consuming and costly exercise that typically involved a third-party network security audit. The coverage was also limited to claims arising from unauthorized access or use of a computer system, and not for losses arising from broadly defined data breaches. Insurers nowadays typically require details on revenue, scope of services and customer base, details on the disaster recovery plan, security audits, privacy plan and contracts, and interviews with IT, legal and risk management.

Insurers offering specialty cyber-privacy products include AIG, ACE, Lloyd’s, Chubb, CNA and St. Paul Travelers, while other insurers might address components of the exposure through extensions to errors and omissions and general liability policies. Capacity available from a single carrier can be up to $25 million, depending on the nature of a specific risk. A significantly higher amount is available through excess layers.

Network security & privacy liability coverage can include:

• liability for media/content on an insured website
• cyber extortion monies
• failure to properly handle, manage, store, destroy or otherwise control personal information in any format
• damage caused by retransmission of a computer virus due to inadequate network security
• infringement of intellectual property for media or software on the Internet
• Identity Theft Response Fund:
  • customer notification expenses
  • crisis management expenses including legal, public relations, or crisis management services to restore corporate reputation
• loss or corruption of data caused by hackers, malicious codes or rogue employees
• business interruption for network attacks and loss income if website is shutdown
• contingent BI losses caused by network outages due to problems at a service provider.

In the end, the development of these products will be tied to both regulatory and legal responses to some of the larger breaches that have occurred. Each jurisdiction will likely have different rules and regulations as it relates to privacy protection protocols and customer notification. Insurance products must keep pace with the various liabilities and costs that companies incur from any security violation and resultant damages. It could be argued that the tighter the network security and audit requirements that are imposed on insureds, the less need there exists for insurance at all. Yet, loss prevention and insurance are not meant to be mutually exclusive. Ultimately, the harsh reality is that the risks companies must manage are getting more complex and the consequences more severe. However, it is encouraging to see the insurance industry’s response to risks arising from data breaches — specifically privacy related losses. They have evolved to the point where meaningful risk transfer solutions are available.

David Turner (david.turner@integrogroup.com) is a senior associate with Integro (Canada) Ltd., a boutique commercial insurance brokerage firm. He has been in the insurance business since 1992 and specializes in technology and liability related risks.

Top