Cyber Insurance Basics – What You Need to Know

April 16th, 2015

By Charles J. Vorbach, CIC, CRM, MLIS

Cyber security breaches are now so commonplace that anyone who stays abreast of current events knows the magnitude of the issue. The list of companies hit by damaging breaches reads like a Who’s Who of major international corporations: Target, Sony, Adobe, EBay,  P.F. Chang’s, Domino’s Pizza, AT&T, Community Health Services (CHS), Home Depot, Google, Apple ICloud, J.P. Morgan Chase to name just some. The average cost of a data breach has sky rocketed to $5.85 million.[1]

So as a business owner, board member, manager, entrepreneur, or investor what do you need to know?

First of all, attacks aren’t limited to big business. Criminals are increasingly finding that small and middle market companies are easier prey. Online security firm Symantec recently reported that 30% of victims have fewer than 250 employees.[2]

You and your organization should now expect to be held accountable for safeguarding the personal, private and/or confidential information you collect from customers, patients, business partners, investors, acquisition/merger candidates, employees, donors, and others. Organizations that design, implement, provide and/or administer IT systems for others can expect to be held to a higher standard for data security.

In addition, any organization with an internet presence must be aware that it can be held accountable for offences traditionally considered “publisher’s liability” risks such as libel, slander, disparagement, intellectual property infringements of copyrights, trademarks, and similar offences.

Furthermore, an increasing number of attacks don’t even attempt to steal data. They aim simply to destroy data or interrupt business operations (the Sony Pictures hack is the poster child for this type of breach). So your own data, confidential information, and intellectual property are at risk too.

The insurance industry continues to develop policies that respond to these losses. While no two insurer’s policies are identical, available coverages can include:

Network Security Liability

Covers lawsuits alleging a failure to adequately secure data resulting in a data breach, a failure to prevent the transmission of a computer virus, or the inability of others to access data on your system.  This can be caused by a virus, malware, unauthorized access or damage by a hacker (including a  rogue employee), or a denial of service attack.

Privacy Liability

Coverage includes allegations of financial loss to third parties due to an improper dissemination of private personal or confidential business information. Losses can arise from hackers, lost laptops, phishing, or even lost hard copy files.

Media Liability              

Provides protection from lawsuits alleging offences such as libel, slander, disparagement, defamation, copyright or trademark infringement, invasion of privacy, and domain name infringement arising out of material published on your website.

Loss or Damage to Electronic Data

Covers your cost to recover or restore lost, corrupted, damaged, or stolen data stored on your computer system caused by accidental damage, errors, hackers, denial of service attacks, viruses and similar causes.

Loss of Income and Extra Expenses

Provides coverage for income lost due to a data breach or denial of service attack plus coverage for extra expenses incurred to minimize or avoid a business shutdown. 

Cyber Extortion

Provides for ransom payments and other coverages when hackers attempt to extort an organization by threatening to divulge stolen confidential information or to conduct a denial of service attack.

Notification Costs

Covers the cost of complying with state notification requirements to parties whose confidential information may have been breached including credit monitoring services. Costs associated with a data breach average $201 per record compromised according to the Ponemon Institute 2014 Cost of a Data Brach Study.

Reputational Damage

Pays the expense of hiring public relations experts to help protect the organization’s reputation at the time of a loss.

Fraud, Terrorism and the Evolution of Insurance Coverage

In the continually evolving world of cyber insurance, some insurers offer additional coverages such as computer fraud, funds transfer fraud, social engineering (duping victims into divulging information that compromises data security), and cyber terrorism (hacking done for political purposes) as well as industry specific coverage forms (e.g., cyber coverage for law firms, healthcare providers, etc.).

 Conclusion

The threat is real so you should be thinking carefully about what you are doing to protect your organization before and after an attack. Since cyber policies vary from insurer to insurer, it is critical that you walk through your coverage options to be sure the policy you purchase lines up with the risk exposures you actually face.

 


 

 [1] Ponemon Institute 2014 Cost of a Data Brach Study

[2] Semantec 2014 Internet Security Threat Report