Committing to Cyber Coverage
Jim Ahearn, Doug Dittmann, and their brethren in the business insurance industry have fielded some inquiries about cyber liability insurance, one of the newer kinds of insurance lines, but they have not seen as many business people actually pull the trigger on purchasing this coverage, despite the many horror stories about data breaches and financial losses resulting from cyber crime.
Ahearn, a commercial account executive with Hausmann-Johnson Insurance, and Dittmann, president of the Neckerman Agency, both sense that businesses are so confident in the firewalls and virus protections they've already invested in, that they view cyber liability coverage, also known as Internet liability or network and information security liability coverage, as a luxury. They disagree with that sentiment.
Every costly cyber crime that exposes a company to financial loss – sometimes catastrophic loss – brings closer the day when this type of coverage will be an annual cost of doing business for even non-regulated organizations. "There is a misconception that you don't have a risk if you are not involved in an Internet-based business," Ahearn said. "I get that response quite a bit as a reason for not purchasing this coverage. The cost of this insurance has started to come down, but I think businesses still consider it too cost-prohibitive."
Cyber liability is not a standard insurance product. Often, it will be tailored to meet a business' unique needs, but it protects against two types of risk – first-party and third-party risks. From a first-party standpoint, it will cover things like crisis management, hiring a public relations firm to manage a data breach incident, costs associated with forensic analysis, the cost of repairing and restoring computer systems if there is a virus that destroys business software and data, and the loss of business income resulting from a data breach.
Third-party risks exist for any business. Any business that collects protected health information or personally identifiable, non-public information like bank account numbers or Social Security numbers, has an insurable risk. Most states, including Wisconsin, have a data breach notification law, and there are a number of federal regulations, and both state and federal statutes are a source of claims. "Whenever there is a data breach incident, a business is required to comply with state laws," Ahearn noted. "Sometimes that includes setting up identity theft monitoring services for anybody whose information could have possibly been breached. Whether it was actually breached or not is beside the point."
One of the biggest risks for a company is unauthorized access from a virus, allowing a third-party to breach your system. "It's the risk of breaching the confidentiality of your customers, risking your company's reputation, risking your own reputation, your character, and denying service to a customer of yours," Ahearn stated. "These are all risks of having a data breach, and the risk of non-compliance with federal or state laws."
Some cyber liability policies not only cover damages, they pay for defense costs. The classic example of where this would apply is the infamous TJX Companies incident, where the owner of T.J. Maxx and other retail brands had more than 46 million credit card numbers stolen from one of its systems over an 18-month period. The company had more than $9 million in settlement costs, not to mention the third-party lawsuits from the people whose information allegedly was breached.
The level of protection for people's credit card information depends on the encryption technology of the credit card providers, and the authentication measures they take.
"That's one way for businesses to transact business over the Internet – to transfer that risk to a third party that manages the credit card transaction," Ahearn noted. "That can reduce a business' risk quite a bit, but it does not eliminate the risk. They can still ultimately be responsible for the notification laws and so forth."
Since cyber liability insurance is not a conventional insurance product, its pricing can be very broad, Dittman said, and typically the premium is based on the sales of an organization. "Obviously, the more sales, the more exposure; the more exposure, the higher the premium," Dittmann noted. "Premiums have stayed pretty firm. The market is evolving, but I'd say ballpark, the typical premium would be $1,500 a year for cyber liability coverage."
Pricing, Ahearn added, "is all dependent upon the insuring agreements that you purchase. Some standard carriers are coming out with coverage forms. For example, Travelers Insurance is coming out with a pretty sophisticated form that rivals some of the best already out there. Up until recently, however, most of these products have been priced through the brokering, the secondary markets, meaning we have to go out and broker it and tailor the coverage."
Dittmann also noted that not every major insurance company has responded with a cyber liability policy. Dittman said fast-evolving cyber exposures are traditionally not covered by standard property and liability coverage. "A couple of years ago, that gap didn't exist, but it now is widening as more companies do more online," he said. "There is that exposure, and the traditional property and liability forms of the respective insurance companies haven't adapted to that. With the way we communicate today, it's so important to adapt because you're communicating so much via your website, email, and Facebook, the face-to-face communication is not done as much."
Some policies are much more watered down than others, and most provide stronger first-party coverage with more limited third-party coverage, Ahearn said. For example, some policies won't provide coverage for information that is in a non-electronic format, so a medical clinic that hasn't made the entire transition to electronic medical records and still has legally protected health information in paper files would carry considerable risk. "One of the fastest-growing crimes in the United States is the theft of protected health information," Ahearn noted. "There are markets for buying and selling personal confidential information."
Smart business organizations have well- developed and well-communicated policies and practices in place to prevent a data breach from occurring. They also should have developed a crisis management process that governs what to do in the event the unthinkable happens, which is where pieces of cyber liability insurance come into play. It includes coverage for public relations to mitigate negative publicity that results from an Internet calamity.
Such dire situations do not necessarily involve a data breach. "Maybe you made a mistake and you said something accidentally derogatory about another business and it comes back to bite you," Dittmann said. "That's where coverage like this would be very important. If you say something on your website that says you are better than ABC Manufacturing, and ABC Manufacturing objects, that's also a crisis-management situation about how you're going to correct a big mistake."
In the case of a data breach, an insurer typically works with the insured to find out what has transpired, what caused the breach, and the impact on business and company reputation. This claim process takes longer than most. "It's more of a walking type of process," Dittmann stated. "It's not like a fire to a building or a car accident, where you can say, 'Well, here it is, it's going to cost this much to fix.'
"It's not something that is cut and dried. It's a claim that could evolve over a much longer period of time to fully see what has happened to your business as a result of somebody breaking through your computer system."
Sign up for the free IB Update – your weekly resource for local business news, analysis, voices, and the names you need to know. Click here.