One Click Away from Danger: Cyber Risk and Insurance

By Shawn Dougherty

Today, virtually every commercial business in America realizes the necessity of an Internet presence to remain competitive. Whether to sell products and services, manage complex data sets, or publish information and make it available to customers through their websites, companies depend on the Internet.

The need for businesses to safeguard their customers’ personally identifiable information (PII) — Social Security numbers, credit card information, medical records, and so forth — has become paramount. While many firms allocate a large portion of their annual operating budget toward implementing, maintaining, and improving their network security, major security breaches continue to occur. According to one estimate by the Open Security Foundation, historically, security breaches have exposed more than 1.2 billion PII records.

The proliferation of security breaches has prompted new consumer protection laws. Currently, 46 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have enacted legislation generally requiring businesses that suffer a data breach to notify all affected and potentially affected parties. In addition, various federal laws — such as Gramm-Leach-Bliley, HIPAA, and its 2009 HITECH modification — also hold companies in the financial services and healthcare industries liable for the disclosure of confidential customer information.

No matter how large or small a business is, the tangible and intangible costs of a data breach can be significant and may affect its survival.

In recent years, commercial lines insurance carriers have responded to these exposures by introducing stand-alone cyber insurance policies specifically designed to provide first-and third-party insurance coverage for computer- and Internet-related exposures, including operating a website.

Developing a standardized program to address cyber risk is a natural step in the evolution of insurance markets. Toward this end, insurers need policy contract forms, underwriting rules, and loss costs (projections of future claims). They must also structure coverage to address such issues as: What are the available limits of insurance, and are they subject to an overall aggregate policy limit? Under the liability, will the insurer defend its policyholders in litigation, and if so, will the expenses by payable within the limits of the policy? Does the policy cover a claim made only during the policy period? Are there endorsements to cover policyholders anywhere in the world?

Figure 1
Chronology of Data Breaches (2005 – Present)

Portfolio Insurance to Value

Source: Privacy Rights Clearinghouse (www.privacyrights.org)

To understand the issues related to developing a cyber risk program, insurers must recognize the potential risks that companies may encounter. Following are some of the computer- and Internet-related risk exposures a commercial enterprise may face and how a cyber insurance policy can address those exposures.

The Risk of a Security Breach
Security breach incidents come in various forms, such as a hacked computer system; a lost or stolen laptop or smartphone; misplaced, improperly discarded, or stolen shredded paper files; or unauthorized data file access by a current or former employee. The numerous ways in which data breaches occur require organizations to be vigilant in safeguarding against such attacks. While data breach incidents are frequently reported in the news, many more are never disclosed. The United States and other countries are calling for additional cooperative efforts and better reporting.

Figure 2
Cost of Data Breach (2011, U.S.)

cover image

Cyber insurance policies typically address the insured firm’s liability for the data breach, the expenses incurred by the firm to notify affected parties of the breach, and the cost to restore the firm’s brand and business reputation. The available liability coverage typically applies to actual or alleged neglect, breach of duty, or omission on the part of the insured firm — or if the firm’s computer system transmits a virus to a third party. Coverage may also be available if an insured firm experiences a programming error or omission that discloses a client’s PII.

Coverage to investigate the breach, handle notification costs, and pay for expenses incurred by the insured (to hire public relation firms, establish call centers, and implement credit monitoring services) commonly falls under cyber insurance policies. Depending on the size and extent of a data breach, the costs can quickly escalate into hundreds of thousands of dollars or more.

When a data breach occurs, companies may face a loss to their brand and business reputation. According to the Ponemon Institute — a research center dedicated to privacy, data protection, and information security policy — it can take from ten months to two years or more for a firm to restore its reputation after a breach of customer data. Many small commercial firms may not survive the expenses associated with a data breach and/or the resulting loss of revenue from the loss of customers.

Furthermore, businesses that experience a security breach resulting in the misuse of PII can also incur regulatory fines and penalties. The regulatory defense and penalties coverage provided under cyber insurance policies generally covers defense costs for regulatory proceedings brought against the firm by governmental agencies for alleged violations of privacy regulations and laws.

The Risk of Publishing Information on a Website
Companies publishing information on websites face the same legal exposures as other publishers in cases of copyright infringement, defamation, and violation of rights of privacy. Cyber insurance policies typically provide coverage for errors, misstatements, or misleading statements posted on a website that infringe on another’s copyright, trademark, trade dress, or service mark; defame a person or organization; or violate a person’s right of privacy.

The Risk of Damage to Data Caused by a Virus
Trojan horses, worms, malware, and e-mail viruses cost U.S. businesses billions of dollars each year. Computer viruses have infected millions of computers and caused billions of dollars in damages. Cyber insurance policies typically provide coverage for the cost to replace or restore electronic data or computer programs damaged or destroyed by a virus, malicious code, or denial-of-service attack and usually include coverage for the cost of data entry, reprogramming, and computer consultation services.

The Risk of an Extortion Threat
Cyber extortion threats have become more prevalent. Computer programs called “ransomware,” which can release a virus onto a computer system if a ransom is not paid, are replacing telephone threats. It’s estimated that more than two-thirds of organizations hit by a serious computer attack never report it and that thousands of these companies may be paying ransom demands.

The extortion coverage offered in many cyber insurance policies is similar to that provided in traditional kidnap and ransom insurance programs. Cyber insurance policies generally cover an insured’s computer system against threats to introduce a virus, malicious code, or denial-of-service attack; divulge the firm’s proprietary information contained in the system or a weakness in the source code within the firm’s computer system; and inflict ransomware or publish the confidential personal information of its clients.

The Risk of a Business Income Loss
A firm that ceases website business activities because of a virus attack or extortion threat — even for a short period of time — can sustain substantial loss of business income. This can be catastrophic, especially for those firms that generate a large percentage of their annual sales during a short seasonal period of time. In cyber insurance policies, the amount of covered loss is typically based on lost revenue from cyber activities and is often offset by revenue generated from other means of communication, such as telephone sales.

Not If, but When
Specialty insurance markets have addressed cyber risk for several years, though those customers tend to be larger computer-centric firms. However, the coverage is becoming mainstream, especially for smaller firms.

In a recent speech, Richard A. Clarke, an adviser to U.S. presidents and author of Cyber War, stated there are really only two types of companies: those that have experienced a breach and know about it and those who have experienced a breach and just aren’t aware of it yet. It’s no longer a matter of if but when a company suffers a breach.

The growth potential for cyber insurance is significant. As technology continues to advance and becomes even more embedded in day-to-day business activities — and the capabilities of computer viruses and hackers become more complex, stealth-like, and frequent — businesses will be at greater risk. The need for cyber insurance coverage is evident. So ask yourself, How safe is your organization? Learn what can be done to safeguard your enterprise, and do it.

Shawn Dougherty is assistant vice president, Specialty Commercial Lines at ISO.