By Shawn E. Dougherty
This year marks the thirtieth-anniversary release of the film WarGames. It's the story of a teenager who almost starts World War III when he hacks a U.S. military supercomputer. Back in 1983, that young man was unique. Today, the teenage hacker is a cliché. Everyone is aware of the threat of being hacked. That's why many businesses have implemented security measures to reduce the chances of an attack and installed recovery protocols to limit damage and resume normal operations afterward. Unfortunately, the business world is still trying to determine a suitable strategy regarding insurance. Even our collective knowledge isn't enough to eliminate the cyber threat. In fact, it appears to be growing.
Commercial data breaches exposed more than one billion records last year, including several high-profile incidents. PCMag.com identified some of the largest breaches in history, including Heartland Payment Systems (130 million records), TJX Companies (94 million records), and TRW (90 million records), to name just a few.1
As the number of cyber attacks grows, so do the associated costs. Recently, the nonprofit Center for Strategic and International Studies (CSIS) and the computer security firm McAfee released a joint study2 indicating that the cost of cyber espionage and cyber crime in the United States totals as much as $100 billion annually.
The rising frequency and associated costs of cyber attacks are leading company owners and management to question whether they have proper coverage. If an enterprise is insured through traditional insurance products, the answer is probably not.
Some commercial insureds and insurance agents mistakenly believe that traditional insurance products provide adequate coverage to address exposures related to data breach. That typically is not the case. While traditional policies may provide limited coverage for some data breach costs, most do not cover all of them.
As the saying goes, you need the right tool for the right job. But first, you must stop using the wrong one. Traditional insurance policies no longer address all possible scenarios. And having a court find ambiguity in insurance coverage is never a good thing.
A case in point is a well-publicized breach at Designer Shoe Warehouse, commonly known as DSW. Hackers infiltrated the shoe retailer's wireless network to access credit card and checking account numbers for more than 1.4 million customers. DSW submitted a proof-of-loss claim that included costs incurred for communications with customers and for public relations in reaction to the breach. The company also sought reimbursement for defense costs in response to various government investigations. DSW submitted the claim under its commercial crime policy.
The insurer rejected the claim, believing commercial crime policies don't cover those expenses — bad news for DSW. But the news turned out to be worse for the insurer: DSW was successful when it sued the insurer. The court's reasoning behind the $6.8 million ruling was that any ambiguity in policy language should result in a ruling in favor of the insured.
That example is just one reason the insurance industry is currently reexamining coverage options in the face of growing cyber risk.
Insurers should begin addressing cyber exposures by adopting stand-alone cyber insurance policies that provide first- and third-party insurance coverage for computer- and Internet-related exposures, including the use of websites for commerce.
According to the Identity Theft Resource Center, as of October 1, 2013, there have been more than 450 data breaches exposing more than 8.3 million records this year alone.3
A joint study recently released by Experian Data Breach Resolution and the Ponemon Institute4 shows that companies now consider cyber security risks to be greater than natural disasters or other major business risks. The study also indicated only about 30 percent of companies had some form of cyber liability insurance.
In her farewell speech as Homeland Security Chief this past summer, Janet Napolitano stated that "our country will, at some point, face a major cyber event that will have a serious effect on our lives, our economy, and the everyday functioning of our society."
The electronic age has altered the business landscape forever. Hackers will always find new and creative ways to access computer systems, and every successful business could fall victim to at least some measure of cyber risk. It's up to insurers to make certain that proper insurance coverage is readily available.
Shawn Dougherty is assistant vice president, Specialty Commercial Lines, ISO Insurance Programs and Analytic Services.
4. Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age, research report independently conducted by Ponemon Institute LLC, sponsored by Experian Data Breach Resolution, August 7, 2013
ISO recently implemented revisions to the confidential information exclusion in its commercial and government crime policies and its financial institutions policies. The company also introduced a data breach exclusion. ISO is introducing similar revisions that address the access or disclosure of confidential or personal information in the ISO general liability and businessowners programs.