Finding Cover from Cyber Attacks

By Shawn E. Dougherty

This year marks the thirtieth-anniversary release of the film WarGames. It's the story of a teenager who almost starts World War III when he hacks a U.S. military supercomputer. Back in 1983, that young man was unique. Today, the teenage hacker is a cliché. Everyone is aware of the threat of being hacked. That's why many businesses have implemented security measures to reduce the chances of an attack and installed recovery protocols to limit damage and resume normal operations afterward. Unfortunately, the business world is still trying to determine a suitable strategy regarding insurance. Even our collective knowledge isn't enough to eliminate the cyber threat. In fact, it appears to be growing.

Commercial data breaches exposed more than one billion records last year, including several high-profile incidents. PCMag.com identified some of the largest breaches in history, including Heartland Payment Systems (130 million records), TJX Companies (94 million records), and TRW (90 million records), to name just a few.1

As the number of cyber attacks grows, so do the associated costs. Recently, the nonprofit Center for Strategic and International Studies (CSIS) and the computer security firm McAfee released a joint study2 indicating that the cost of cyber espionage and cyber crime in the United States totals as much as $100 billion annually.

Companies that experience a breach can incur significant costs to:

  • notify affected parties of the breach
  • perform a forensic analysis to determine the data accessed
  • establish a call center to handle customers' breach-related inquiries
  • implement credit-monitoring services for affected parties
  • hire a public relations firm to help restore the company's brand and business reputation
  • pay fines assessed by governmental agencies and the payment card industry

The rising frequency and associated costs of cyber attacks are leading company owners and management to question whether they have proper coverage. If an enterprise is insured through ­traditional insurance products, the answer is probably not.

Some commercial insureds and insurance agents mistakenly believe that traditional insurance products provide adequate coverage to address exposures related to data breach. That typically is not the case. While traditional policies may provide limited coverage for some data breach costs, most do not cover all of them.

The Right Coverage

As the saying goes, you need the right tool for the right job. But first, you must stop using the wrong one. Traditional insurance policies no longer address all possible scenarios. And having a court find ambiguity in insurance coverage is never a good thing.

A case in point is a well-publicized breach at Designer Shoe Warehouse, commonly known as DSW. Hackers infiltrated the shoe retailer's wireless network to access credit card and checking account numbers for more than 1.4 million customers. DSW submitted a proof-of-loss claim that included costs incurred for communications with customers and for public relations in reaction to the breach. The company also sought reimbursement for defense costs in response to various government investigations. DSW submitted the claim under its commercial crime policy.

The insurer rejected the claim, believing commercial crime policies don't cover those expenses — bad news for DSW. But the news turned out to be worse for the insurer: DSW was successful when it sued the insurer. The court's reasoning behind the $6.8 million ruling was that any ambiguity in policy language should result in a ruling in favor of the insured.

That example is just one reason the insurance industry is currently reexamining coverage options in the face of growing cyber risk.

Insurers should begin addressing cyber exposures by adopting stand-alone cyber insurance policies that provide first- and third-party insurance coverage for computer- and Internet-related ­exposures, including the use of websites for commerce.

Cyber liability policies typically provide the following types of coverage:

  • website publishing liability — for errors, misstatements, or misleading statements posted on a website that infringe on another's copyright, trademark, trade dress, or service mark; defame a person or organization; or violate a person's right of privacy
  • security breach liability — for a company's liability following a data breach resulting in a hacker's gaining access to a third party's confidential information from within the insured's computer system, or if the firm's computer system transmits a virus to a third party
  • programming errors and omissions liability — for programming errors or omissions responsible for the disclosure of a client's confidential information held within the insured's computer system
  • replacement or restoration of electronic data — for the cost to replace or restore electronic data or computer programs damaged or destroyed by a virus, malicious code, or denial-of-service attack
  • extortion threats — for threats to introduce a virus, malicious code, or denial-of-service attack into the insured's computer system; divulge the firm's proprietary information contained in the system or a weakness in the source code within the firm's computer system; or inflict ransomware or publish confidential personal information of clients
  • business income and extra expense — for the loss of business income when a firm ceases website activities because of a virus attack or extortion threat
  • public relations expense — for expenses associated with restoring a firm's reputation following a data breach
  • security breach expense — for the cost of investigating a breach, notifying victims of the breach, establishing call centers, and implementing credit monitoring services

Cyber Incidents on the Rise

According to the Identity Theft Resource Center, as of October 1, 2013, there have been more than 450 data breaches exposing more than 8.3 million records this year alone.3

A joint study recently released by Experian Data Breach Resolution and the Ponemon Institute4 shows that companies now consider cyber security risks to be greater than natural disasters or other major business risks. The study also indicated only about 30 percent of companies had some form of cyber liability insurance.

In her farewell speech as Homeland Security Chief this past summer, Janet Napolitano stated that "our country will, at some point, face a major cyber event that will have a serious effect on our lives, our economy, and the everyday functioning of our society."

The electronic age has altered the business landscape forever. Hackers will always find new and creative ways to access computer systems, and every successful business could fall victim to at least some measure of cyber risk. It's up to insurers to make certain that proper insurance coverage is readily available.

Shawn Dougherty is assistant vice president, Specialty Commercial Lines, ISO Insurance Programs and Analytic Services.

1. www.pcmag.com/article2/0,2817,2394743,00.asp
2. www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime.pdf
3. www.idtheftcenter.org/ITRC-Surveys-Studies/2013-data-breaches.html
4. Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age, research report independently conducted by Ponemon Institute LLC, sponsored by Experian Data Breach Resolution, August 7, 2013

New and Noteworthy

ISO recently implemented revisions to the confi­dential information exclusion in its commercial and government crime policies and its financial institutions policies. The company also introduced a data breach exclusion. ISO is introducing similar revisions that address the access or disclosure of confidential or personal information in the ISO general liability and business­owners programs.