Cyber Threats Everywhere

When we last looked at business insurance in February of 2010, the market was soft trending on price, meaning rates were favorable to consumers for basic business lines like directors and officers and employment practices coverage. Not much has changed in that regard, but there is a worrisome trend — increasing cyber liability — that is not going away.

Lots of Leakers

The WikiLeaks controversy has brought cyber liability to prominence, but a small number of business cases had already sounded alarm bells. With cyber liability, insurance coverage addresses the first- and third-party risks associated with e-business, the Internet, networks, and other information assets. Traditional general liability policies do not properly protect the business owner, according to Murphy Insurance Group President Steve Murphy, and there are vast exposures to lawsuits based on what a business might contain in its website.

First-party coverage could be the costs associated with someone breaching a client's privileged information by hacking into a network. Many states require companies to notify all customers if a breach is even suspected, and to take necessary steps to correct the situation — a cost estimated at up to $30 or more per customer, Murphy indicated.

"Multiply this costs times your company's total number of customers, and you'll see how they can quickly add up," he noted. Even more chilling, this does not include the non-quantifiable costs associated with the potential loss of confidence in your organization by your current and potential customers.

Third-party coverage can be even more devastating as "lawsuits are growing by the day," Murphy warned. These suits could stem from a variety of risks, such as an Internet virus, theft of your customer's confidential information, identity theft, loss of data, and misappropriation of intellectual property. "As you can imagine, some of these risks could result in lawsuits that could easily reach hundreds of thousands and well into the millions of dollars," he stated. "Defense costs alone may reach into the hundreds of thousands."

One lawsuit not covered by insurance could leave a business with no other alternative than to file bankruptcy. With the ever-increasing usage of smart phones, laptops, and other mobile devices, Murphy notes that it's becoming easier for thieves to steal identity information, critical business information, transmit malicious codes, and participate in attacks against your network or the networks of others. The information gained from these attacks can be used for extortion threats against business owners.

Both Murphy and David Fritz, president and CEO of TRICOR Insurance, said the cost of the exposure is largely unknown because there is not much claims history with respect to cyber liability. This is limiting the coverage availability to companies who have the resources to research the potential costs associated with lawsuits, develop policy language, and price the product for profitability. Since most regional insurance carriers don't have these resources, "they will wait on the sidelines until enough data is gathered for them to enter the market profitably," Murphy predicted.

However, some insurance companies and independent agencies have been willing to step up with adequate protection. Yet without an actuarial history to fall back on, it's hard to identify frequency and severity, and rates are dependent on risk. "There is more data today than there was a couple of years ago," Fritz said, "but every day there is new technology being developed, and there are more and more people that are looking to create problems."

So while liability continues to evolve, it's important for employers to head off trouble. The primary change is a growing awareness of the importance of establishing preventive measures to avoid any type of a loss. "That is far more important than the actual coverage," Fritz noted. "The coverage is important, but if you can avoid the loss, that's first and foremost."

Even though an organization can have all the protections in the world, that may not be good enough to safeguard information. Yet this is no excuse not to take preventive steps, and actually going through the insurance underwriting process can be an eye-opening experience.

"They will quickly learn whether or not they have the things in place that, in a lot of cases, will be required for any insurer to say, 'I'm willing to take on the exposure that your company has for this type of loss,'" Fritz said. "A lot of times, the insurance companies will provide a quote, contingent upon certain things being done internally to further protect the carrier and themselves against the loss."

The internal controls relate to the human element associated with handling documents and work flows, and the firewalls, redundancy, and virus protections that also are necessary to prevent a breach. Fritz summarized, "Because of the transfer of the data, and the availability of the data, you really have to spend a lot of time on protective measures."

Sign up for the free IB Update — your weekly resource for local business news, analysis, voices and the names you need to know. Click here.