No reward for ignoring cyber risk
Today, virtually every business uses a computer, connects to the internet, and collects payments, meaning virtually every business can benefit from cyber liability insurance.
From the pages of In Business magazine.
Hacks. Data breaches. Ransomware.
Operating in such a connected, data-driven world, these are real threats facing companies and industries beyond just the retail, health care, and financial sectors.
It’s why any good disaster management and cybersecurity plan should include cyber liability insurance, say the experts we spoke with.
“These policies ought to be considered by anyone who relies on computer programs to run their business, which is to say just about everyone,” comments David Kruse, a client executive for Hausmann-Johnson Insurance. “Not every business will be at risk for a major data breach, but anyone with internet access could be subject to a ransomware attack, a zero-day attack, or a DDOS (distributed denial of service) attack; anyone who uses email or has access to another’s network could pass malicious code to them; and if you have a website, you could be sued for trademark infringement due to your online content.”
If that sounds like just a lot of worry about something that isn’t likely to ever affect your company, you could be right. But ultimately business owners and executives need to ask themselves if it’s really worth the risk of not carrying cyber insurance.
“Like any insurance, people don’t need it until they really need it,” notes Stephen Lyons, government affairs and communication advisor for the law firm Husch Blackwell, who has worked with a number of clients following a data breach. “When entities go through this experience, the number one thing they say again and again is, ‘If I had known how complicated and expensive this was going to be I would have paid [for] the coverage.’”
According to Lyons, a simple mistake like opening an attachment, downloading a file, or sending information to a wrong email address could be the difference between the success of a company or that company taking drastic measures to pay for the damage done.
“For example, I’ve seen instances where the company has had employee personal information stolen and then the company had to downsize to help pay for the breach — it’s heart-wrenching,” Lyons says. “On the flip side, I have worked with companies that prepare for this situation. When it happens, experts are brought in, the costs are covered, and the company can continue to focus on the things they need to focus on to thrive in the marketplace. I assure you, these executives sleep better at night.”
Kruse says the risk analysis process should start from the following mindset: It’s not if a cyber event will happen; it’s when.
“The most common objections I hear from clients regarding cyber insurance are: ‘I’m too small,’ ‘I don’t have anything they want,’ ‘They would never look for me since I’m just a local [contractor, manufacturer, restaurant, etc.],” explains Kruse.
“Here’s where we need to change our thinking,” he continues. “Hackers often start by finding your network’s weaknesses before they’ve even found out who you are. Using search engines like Shodan, bad actors can scan entire IP address networks, find software and devices with known vulnerabilities, and then exploit the vulnerabilities. It really doesn’t matter how big you are — if you are an easy target, you will likely be targeted.”
Cyber liability policies are not your grandfather’s, or even your father’s, insurance. They’re still relatively new to the insurance marketplace and as such are still changing.
Cyber liability insurance has evolved immensely in the last three years alone, notes Derek Lacniak, account executive director of cyber practice for M3 Insurance. While the cyber liability product has been around for over a decade, it was initially reserved for very large, high-risk exposure organizations. The insurance marketplace began by building the cyber liability programs for these specific types of clients, and tailored the coverage to their specific needs.
“A few short years ago, many insurance companies simply tossed in cyber coverage as a free coverage,” explains Ted Nickel, Commissioner of Insurance for the State of Wisconsin. “The idea of cyber coverage was often assumed to be covered under general liability coverage or other coverages in a personal or commercial policy. The rapid development of cybersecurity risk, associated breaches, and losses focused the attention of insurers and risk managers on the issue of cybersecurity coverage.”
Lacniak says in the last three years, cyber liability has hit “Main Street” and become accessible to businesses of all sizes from all different industries. “The rise in insurance carriers entering this marketplace has been dramatic, with the marketplace now having well over 50 different insurance carriers, which would have been around 30 three years ago. As more insurance carriers have entered the space, it has created a very competitive marketplace that is buyer-friendly.
“What continues to lag in the marketplace is true actuarial data and underwriting comprehension,” Lacniak continues. “Cyber liability is an exposure unlike any others, and carriers continue to struggle on how to underwrite or rate these types of policies. Policies are being priced on the amount of revenue the organization generates — a typical rating basis in insurance — without any regard for the security controls in place or the type of data the organization has access to. Until we have the same type of actuarial loss database that other mature lines of coverage like property insurance, product liability, and auto liability have, we expect to see relatively soft pricing.”
Mindi Giftos, office managing partner of Husch Blackwell’s Madison office and co-leader of the firm’s Data Privacy, Security, and Breach Response team, says for many years companies overlooked the importance of obtaining cyber liability insurance if they were not in the technology industry.
“However, over the last several years, companies have begun to realize that almost every company that transacts business may be vulnerable to cyber attacks,” Giftos states. “Today, not only are financial transactions done online, but many companies now store their data and/or provide services on the cloud or through other hosted providers. This means companies have less control over the security of their data. Hosting companies and vendors will not often contractually assume the risk of a data breach, so often the most practical solution is to obtain cyber liability insurance.
“In addition, not every data breach is a major security incident where entire systems are compromised,” adds Giftos. “One of the most common ways data is stolen these days is through fraudulent or ‘phishing’ email attacks. As simple as they may sound, they are often quite sophisticated and effective, which can cost companies who are victims to these crimes substantial resources.”
Kruse says hackers and data breaches are not the only reasons for companies to carry cyber liability.
“Data breaches do get the lion’s share of attention due in large part to the staggering number of individuals affected,” Kruse notes. “Seventy million during the Target breach in 2013, 80 million in Anthem’s case, and a staggering 360 million during the MySpace breach. But take the Target breach as an example: that breach occurred not because of weak systems on their end. It happened because one of their HVAC contractors had lax cyber security standards, became infected with malware, and the criminals were able to snag the contractor’s login credentials for a document management portal for Target contractors. They then uploaded more malware to Target via legitimate login credentials, and stole tens of millions of credit card numbers. This situation represents another major cyber insurance benefit: coverage for transmission of malicious code to a third party.”
Fazio Mechanical, the HVAC contractor, is still in business and hasn’t been sued by Target, Kruse adds, likely because Target doesn’t think they can recover much from them, “but it’s not hard to imagine a scenario in which Target sues them into oblivion.”
The rise of ransomware provides another compelling reason to consider the coverage, explains Kruse. Ransomware attacks, which an IBM study found quadrupled in 2016 to an average of 4,000 per day, can cripple a business if not handled properly; it’s been used to bring hospitals to a halt and to shut down a manufacturer’s entire operation. “A cyber insurance policy will pay the ransom demanded and will provide forensic IT professionals to help determine how the incident occurred and what can be done to fix it. To put it plainly, if you use email, you’re at risk, since most ransomware is delivered via infected email.”
Arguably the greatest benefit to a good cyber liability policy will be the breach response coach provided by the policy, adds Kruse. “Responding to a cyber event is not a do-it-yourself project, so when you report a claim, the carrier will connect you with a breach response coach (a data breach attorney) who will coordinate the response and mitigation efforts on your behalf. They will have pre-negotiated contracts with forensic IT firms, PR firms, call centers, and more, and will orchestrate the response efforts.”
Nickel has seen a significant amount of data breaches over the last couple of years. “Whether a company has cyber insurance should not matter in terms of adequate consumer protections,” he notes. “Regulators require notification directly to consumers letting them know of what happened and a plan to protect them subsequent to the breach. If they don’t do this on their own, companies will be ordered to provide some sort of identity protection and credit monitoring for a period of time. Cyber insurance will help offset the often significant costs of remediating the loss and the costs to provide consumer protections.”
Lacniak says state laws will dictate what is the requirement of a company if they suffer a data breach and their duty to the owner of the information they lost. That requirement will be legally required whether or not they have cyber liability insurance. However, companies that do not purchase cyber liability insurance risk not being able to fund their incident.
“Even if you disregard the low rates of third-party litigation following data breaches, the clean up costs following an incident alone can threaten the viability of organizations,” notes Lacniak. “For example, the vice president of human resources for a company has their laptop stolen out of the back of their car. On the laptop, saved to the desktop, is their annual health insurance census information, which includes names, addresses, Social Security numbers, etc. It is likely that the thief took the laptop to resell it on the internet; however, in most cases, this laptop needs to be treated like it was stolen for the private data and a response may be required as if all the data has been compromised. After a low-scale forensic investigation, legal costs, notification, credit monitoring, and other expenses, this single laptop can easily exceed $50,000 in remediation costs.”
Giftos adds there is no statutory requirement for a company to have liability insurance; however, companies may be contractually obligated to hold certain coverage, so failure to obtain and maintain agreed-upon coverage could create liability.
In addition, Giftos explains, it is always helpful for companies to be able to show that they have taken all reasonable steps to protect their customers and constituents from a data breach, which could certainly include obtaining appropriate insurance coverage. “Ensuring appropriate insurance coverage is probably as important as ensuring appropriate information technology standards and protocols to protect information.”
If we’ve established that having some type of cyber liability coverage is beneficial, there are still questions companies should ask to determine the type and level of coverage to best fit their needs.
In the cyber liability environment, there are three industries that are referred to as the “Big Three,” notes Lacniak. They are retail, health care, and financial institutions.
“While any company can have an incident related to a lost laptop or accidental email miscommunication, the Big Three are the industries where the sensitive nature of the information being handled is only outweighed by the sheer volume of the data,” Lacniak explains. “Most organizations in this industry now need to purchase this type of coverage commensurate to their exposure and risk profile, as a massive unfunded data breach will easily leave them at risk of going out of business.”
Cyber liability, like any new coverage, is fairly customizable, Lacniak notes. More so is the fact that every cyber liability policy will appear to look unique. “As every insurance carrier has raced to release their new cyber liability product, any uniformity like what we see in other insurance products was lost. Coverages that provide the exact same protection are often times called two different things between carriers. The perception of ‘uniqueness’ within cyber programs is rampant in the marketplace.
“That said, there are a number of insurance coverage add-ons that can be tailored to a specific client,” Lacniak continues. “For instance, coverage for PCI (payment card industry) fines and penalties can be one of the largest exposures for retail operations. Merchant card processors such as Visa or MasterCard reserve the unilateral right to fine and penalize merchants who are at fault for fraud. Those fines can be insured
if a cyber liability policy is designed appropriately. However, if you do not accept or handle credit cards in any way, then this coverage is not needed.”
Cyber liability coverage can be very nuanced, especially when comparing multiple providers or switching from one provider to the other, Lacniak notes. There are some common gaps, or “tricky” exclusions to watch for:
- Outdated or end-of-life software exclusions;
- Unencrypted data exclusions;
- Mobile device exclusions;
- Unauthored collection of data exclusion;
- Application warranties to the policy;
- Paper record exclusions.
Giftos reiterates that every company can benefit from having a cyber insurance policy. The breadth of the policy really depends on the potential risk.
“The level of risk will depend on what types of sensitive information the company processes or stores, the amount of information stored, and the number of potential vulnerabilities for attack,” says Giftos. “If a company does not have cyber insurance, sometimes security incidents may be covered under other policies. Usually, however, if a company does not have cyber insurance, they will have to pay the costs of investigating and remediating the incident out of their own pockets. In addition, government investigations and lawsuits following data breaches are quite common.”
Nadine Friedman Daniels, senior vice president at Arlington Heights, Ill.-based Integro USA Inc., an insurance brokerage firm, says companies considering the need for cyber coverage should evaluate all of the risks to the business.
Some considerations may include the following:
- What’s the client/customer base and industry?
- What type of information does the company hold (PII/PHI/PCI/corporate information, etc.)?
- What is the total number of records held?
- Consider the employee information that you hold.
- Consider the vendor relationships and review existing contracts.
“Insurance is one of the primary ways that companies transfer their risk,” Friedman Daniels notes. “The application process alone can help to make a business become a better risk. If the business does not buy cyber insurance, the liability would presumably fall to the business unless coverage is available within their other traditional policies.”
Friedman Daniels also recommends a thorough review and analysis of the company’s other insurance products, as well as conducting a gap analysis to identify uninsured exposures. Additionally, companies should review the cyber insurance products available on the market, paying particular attention to the available insuring agreements and the coverage triggers.
All companies should engage in appropriate risk management strategies to avoid loss, advises Nickel. The risk management strategy should be relative to the sophistication of the firm.
“Cyber risk is real and something that should be taken very seriously,” adds Nickel. “Once the level of potential cyber risk is identified, an appropriate amount of cyber insurance will help mitigate losses. Simply purchasing cyber insurance is not a risk management solution, but a part of a larger overall risk management program.”
Click here to sign up for the free IB ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.