Cyber liability warnings bring yawns at Madison-area businesses
(page 2 of 3)
Insurers will also expect certain businesses — health care providers and retailers — to protect sensitive client data with encryption; they will expect best practices such as not keeping entire credit card numbers; and they might insist on vulnerability testing of IT systems, especially with respect to large clients buying coverage with multimillion-dollar liability limits.
In any event, when the right internal controls are in place, the cost of insurance goes down because insurers need some level of assurance that business clients are serious about managing risk. “Again, that applies mostly to larger customers,” Kaetterhenry says. “Smaller businesses like hardware stores or very small manufacturers, they are not buying limits that are very high.
They may not be required to do testing of that type on a regular basis, but for larger companies, particularly in the financial or health care sectors, there will be a requirement for them to be doing that on a regular basis.”
Since its introduction in the late 1990s, cyber liability insurance has become more varied and customizable. At first, it was primarily concerned with Internet sales and the loss of income associated with websites being shut down, but it has since evolved from more of a first-party coverage to one concerned with data breaches and the loss of personal information.
“If you look what coverages were available years ago and compare them to today, there’s a big difference,” stated Mike Kapfer, assistant vice president of underwriting for NSI. “Cyber liability policies vary tremendously in their scope and their amount of coverage. There are more basic coverages with smaller limits to help with the notification process, legal advice, and the IT forensics. There are more complex coverages with higher limits that will help pay for the business’s own data and equipment to be recovered and repaired. As time goes on, we will see that cyber liability coverage will become broader and what insurance companies will pay will be redefined. It’s an evolving product.”
Attorney Melinda Giftos of the Madison office of Whyte Hirschboeck Dudek noted that not all companies use cloud-hosting services or store highly sensitive, personally identifiable information. However, all companies store valuable data, so a breach could pose significant liability or risk for any employer. As a result, the components of cyber liability insurance now include coverage against third-party claims, breach remediation and notification costs, computer program and data recovery, business interruption coverage, extortion coverage, and communications and media coverage.
However, the big one is the cost of remediation on a data breach. Most state laws require notification, and Congress is working on a national data security law. In addition, some state laws mandate free credit reports and require credit card companies to bear the cost of issuing new cards. Remediation costs have grown to the point where in 2014, the average claim per record was $188 for a company that lost records. “Take that times thousands of customers, and that has become a real issue,” Kaetterhenry says.
Computer program and data-recovery coverage may not cover your clients if you have their information, Giftos noted. This type of coverage can be very expensive, depending on the nature of a business, but other options include investing in secure backup systems.
Part and parcel of this is business interruption coverage. “This is key for companies that outsource primary business functions,” Giftos explained. “Business interruption damages are often classified as consequential, which is not often the reality in a security breach situation.”
Third-party technology and vendors should be audited and insured as well. In the Target breach, hackers got in through an HVAC vendor that had access to the retailer’s network — a fact that also raises the importance of monitoring any entity that has access to your system. “They must have the same amount of insurance and controls as you do because your vulnerability is dependent on their vulnerability,” Kaetterhenry stated. “It’s an interdependent system.”
If legal agreements and IT systems present a risk, premiums could be much higher, Giftos added. This is yet another reason to have solid contractual agreements with subcontractors and hosts.
Coverage related to crisis management, public relations, and communications might also pertain to online defamation and trademark infringement coverage. With websites and social media, there is a potential not only for copyright and trademark issues but online defamation as well.
Extortion occurs infrequently, but there have been instances in which disgruntled ex-employees collaborated with a hacker to place a computer worm into the system of the former employer and then offered to solve the problem more quickly if the company paid a large sum of money.
Giftos noted that the Federal Trade Commission has shown more interest in investigating security breaches to determine whether companies are adequately protecting consumers. The topic is certainly on the radar of Federal Trade Commissioner Julie Brill, who recently noted there are two kinds of companies: those that know they’ve been hacked and those that haven’t yet found out about it. If she’s correct, there is no longer a good excuse not to have cyber liability coverage.
Richard Marty of Compel Consulting, a Madison firm that helps clients prevent catastrophic data loss, said many small business owners don’t know where their data resides or how to retrieve it, let alone insure it against loss. Even if they have sensitive data, they might think they are too small or unimportant to interest hackers, but there are inexpensive solutions available that allow businesses to both secure data and ensure redundancy. Both steps, he noted, are prerequisites to insurance.
“From the insurance company, there is a checklist they go through to make sure certain things are set up in a certain way,” Marty noted. “It’s important for small businesses to understand that they need to take certain steps within firewalls, locking down the ports and backups, in order for their liability insurance to be valid.”