Cyber Insurance: Are you Covered?

Uploaded on 2014-12-29 in BUSINESS-Services-Financial

Networked computing is now firmly embedded in virtually every business process. Providing a secure and trusted platform for conducting transactions and exchanging information is basic to the value proposition of every financial institution.

The platform, however, is only partly based at the institutions’ physical locations. It has expanded to include a distributed computing system that enables e-commerce with customers, suppliers and partners, which, more and more, is standard operating procedure. Physical limitations have been largely removed by the Internet and by the ability of institutions to connect their own electronic platforms to the Internet’s vast public structure, allowing information to flow easily among internal and remote users.

No matter how good your IT security is, your business is at risk for having your information stolen. Google, Facebook, Citibank, and even the federal government have fallen prey to cyber attacks in the past year.

It’s not just the big name companies that are at risk either – more and more small and mid-sized companies are becoming the victims of online data theft and fraud. While large-scale security breaches tend to get more attention from the media, it makes more sense for hackers to go after the “low hanging fruit” of smaller and more vulnerable companies.

The good news about cyber risks is that most data and privacy breaches are preventable. Only 3% of the 1,700 incidents that occurred in 2010 were considered unavoidable. By carefully considering your liabilities and proactively planning for incidents, you can do a great deal to ensure your company isn’t the next cyber victim.

It's hard to shell out big bucks for things that you hope you'll never use. That's why buying insurance of any kind is such a drag. But when it comes to mitigating risks that could wipe out your entire business in a matter of days, many people opt to play it safe. And there's a new risk in town: cyber risk. Not surprising, following close behind is cyber insurance.

Such policies, which have been around for about five years, are designed to protect businesses should they fall victim to hacker attacks or other forms of online mischief or catastrophe. And more businesses are considering such coverage worth the expense. According to the 2006 CSI/FBI Computer Crime and Security Survey, 29 percent of U.S. companies say they have external insurance policies to manage cyber security risks, up from 25 percent in 2005. It's easy to see why. Nearly all companies now rely heavily on electronic information, which puts them at risk of losing business as a result of network downtime or being held liable by customers as a result of stolen personal data. Buffeted by stories of phishing attacks, spybots, and malicious viruses and worms, what responsible business owner wouldn't be interested in turning a variable risk into a fixed cost?

But purchasing a cyber insurance policy is far from a no-brainer. The policies are often confusing and pricey. The main problem: Cyber risk has been frustratingly difficult for insurers to quantify. Because cyber insurance policies are so new, there is a dearth of actuarial data from which to base the premium rates. "The insurance provisions have been drafted pretty narrowly," says Joshua Gold, a partner at Anderson Kill & Olick, a New York City-based law firm that specializes in representing businesses in insurance disputes. Gold, for example, has reviewed policies that claim to guard against "computer security incidents" on the one hand, but then exclude something as basic as a virus from that definition.
Indeed, because there is next to no case law for precedent in technology-related insurance claims, it's not uncommon for policies to come with four or five pages of single-spaced exclusions to the coverage. Says John Pescatore, an analyst at Gartner (NYSE:IT), an IT research firm based in Stamford, Connecticut: "The price of the policies is too close to the cost of an actual event. You may be better off just spending the money to avoid an incident."

Cyber insurance policies also have been difficult to apply for, often demanding that applicants undergo a third-party audit of their security practices. Fortunately, many carriers have streamlined the process and now write policies based on such factors as the size of the company, the amount of data it holds on file, how many people have access to that information, security policies, whether data is encrypted, and whether the company has experienced losses in the past. Premiums are edging downward, too. At the New York-based insurance giant AIG (NYSE:AIG), for example, a typical policy for a small company could cost as little as $1,000 a year in premiums, with a $1,000 deductible and up to $100,000 in coverage. "We've got a good handle on how to evaluate the risks now," says Nancy Callahan, vice president of AIG's identity theft and fraud division.

Before you begin shopping for a cyber policy, dig up your existing business insurance policy and give it a close read. You might find that you're already covered for many cyber-related incidents. It all depends on how your current policy is worded. As cyber risks have grown, insurers have begun to add language to business liability policies that specifically excludes cyber-related liability. So when it comes to existing insurance, an older plan may actually offer better coverage. "Some of the older general liability plans have good broad coverage," says Gold. Say, for example, an identity thief breaks into your system, steals personal information, and sells it on the Internet. A customer may decide to file suit for a violation of privacy, as well as any monetary damages incurred. Under an existing personal injury plan, there's a pretty good chance that your business would be covered. If not, many carriers will allow you to extend an existing errors and omissions or general liability plan to cover some cyber risks.

For now, experts say that companies that deal heavily in electronic information are the best candidates for a separate cyber insurance plan. That is the case with Scott Paly, the CEO of Global DataGuard, and an IT security products and services provider in Dallas. Like many contractors that are required to obtain errors and omissions insurance by their clients, Paly now is often asked by his customers to get cyber coverage, as well. Paly pays more than the average business would for his insurance, about $11,000 a year, because of the nature of his business. But he views the added insurance as a cost of doing business. That's why he set the deductible high, at $25,000. "We have a high deductible," he says, "because I highly doubt we'll ever have a problem with this."

Nonetheless, insurers are marketing their cyber policies aggressively, and most experts agree that as more business is conducted electronically, the policies will become more widely adopted. "Transferring risk is a legitimate business strategy, and over time I think the insurance companies will be able to offer more compelling products," says Robert Richardson, director of the Computer Security Institute, an industry group for information security professionals. "Of course, there are some things you can't cover with insurance, like loss of customer trust or losses that land you in jail."

Assumptions have been made that a traditional Commercial General Liability (CGL) policy will afford your coverage for business interruption, intellectual property damage, and similar losses. Courts even ruled “physical damage” includes computer information related losses. Insurers are avoiding liability by including specific exclusions and requiring endorsements for this coverage.

However, insurance carriers are now becoming savvy in the technology industry. Product offerings are greater. We are seeing a plethora of cyber insurance products. Knowing the ins and outs of each product will be key in proper policy selection.

Cyber liability coverage includes an e-comprehensive policy. This policy will cover losses caused by fraudulent modification, accidental alteration or destruction to all electronically stored information. In addition, losses caused by malicious copying of trade secrets, extortion, and introduction of a virus would be covered.

Media liability addresses the losses associated with libel, slander, and invasion of privacy and infringement of copyrights.
This may be needed, especially if your employees are given access to email capabilities and Internet access. Email is an essential tool of today’s fast-paced business culture. However, messages taken out of context may cause difficulty. Establish an email usage policy and educate employees on the proper use of emails and surfing the net.

Cyber risk has become a leading issue for many organizations as awareness of cloud computing, social media, corporate Bring Your Own Device policies, big data, and state-sponsored espionage has grown and recently been amplified by President Obama's Cybersecurity Executive Order. In an increasingly punitive legal and regulatory environment, and in the face of more frequent contractual insurance requirements specifying cyber liability, forward -thinking companies are taking proactive steps to explore and transfer cyber risk.

Organizations should be concerned about cyber risk if they:

  • Gather, maintain, disseminate or store private information
  • Have a high degree of dependency on electronic processes or computer networks
  • Engage vendors, independent contractors or additional service providers
  • Are subject to regulatory statutes
  • Are required to comply with PCI Security Standards/Plastic Card Security statutes
  • Are concerned about contingent bodily injury and property damage that may result from cyber incidents
  • Rely on or operate critical infrastructure (Personally Identifiable Information risk are less prominent for industries such as utilities, manufacturing and logistics)
  • Are concerned about intentional acts by rogue employees
  • Are public companies subject to the SEC Cyber Disclosure Guidance of 2011?

While existing forms sometimes carry a level of coverage, they were not intended to cover many risks associated with an increasingly digital world. Typical forms respond as follows:

  • General Liability: covers bodily injury and property damage, not economic loss.
  • Errors & Omissions: covers economic damages resulting from a failure of defined services only, and may contain exclusions for data and privacy breaches
  • Property Insurance: covers tangible property, which data is not. Loss must be caused by a physical peril while perils to data are viruses and hackers.
  • Crime: covers employees and generally only money, securities and tangible property. No coverage for third party property such as customer/client data.

With identity theft causing tens of billions of dollars in extra business expenses annually, organizations face an array of direct and indirect costs from data breaches, according to a new white paper from Business Insurance.

Risk managers at all organizations should work to minimize their exposure to cyber risks by “expecting the unexpected” and adopting various strategies, both organizational and technological, according to the white paper by cyber risk and insurance expert Mark Greisiger, president of Philadelphia-based Network Standard Corp., which does business as NetDiligence.
Identity theft affects about 10 million U.S. residents a year and causes an estimated $50 billion in unnecessary business expenses, according to the Federal Trade Commission.

The theft of personal information costs organizations an average of about $710,000 per incident, according to an annual FBI study. And the sources of those extra expenses are numerous, according to the white paper, “Cyber Risks: How to Protect Your Business in the Digital Age.”

Managing a lengthy forensic computer system investigation. Depending on the type of data (personal health information, images, audio files, etc.), the volume of information and other factors, such as centralization of systems, such costs can range from tens of thousands to millions of dollars.

Recovering from damage done to the organization’s reputation and trust by customers or business partners, which is difficult to quantify.

Organizations should develop a layered approach to cyber risk management and this should include practical advice on how risk managers can achieve that goal. Strategies discussed include technological defenses, such as firewalls and encryption, and system management changes, such as effective password-protection policies.

Specialty insurance protection against cyber risks first was offered more than 10 years ago and is becoming more readily available, which is reflected in the directory of cyber insurers with about 20 insurers offering coverage.

Related Links:

http://www.businessinsurance.com/article/20110103/NEWS/110109991

http://www.willis.com/Documents/Publications/General_Publications/Cyber_Risk_White_Paper.pdf

http://www.aon.com/attachments/risk-services/cyber/Aon-Cyber-Risk-Solutions-General.pdf

http://www.kapnick.com/

« New York premiere of Sony film The Interview cancelled
Malaysia Airlines flight MH370 theories: 17 possible explanations that could reveal fate of plane »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Verimatrix

Verimatrix

Verimatrix is a global provider of innovative cybersecurity solutions that protect content, devices, software and applications.

Appdome

Appdome

Appdome is the industry's first mobile integration as a service company, providing solutions for enterprise mobility and mobile application security.

Apricorn

Apricorn

Apricorn provides hardware-based 256-bit encrypted external storage products to companies and organizations that require high-level protection for their data at rest.

IGX Global

IGX Global

IGX Global is a provider of information network and security integration services and products.

Codeproof Technologies

Codeproof Technologies

The Codeproof enterprise mobility solution empowers your business to secure, deploy and manage mobile applications and data on smartphones, tablets, IoT devices and more.

Portuguese Institute for Accreditation (IPAC)

Portuguese Institute for Accreditation (IPAC)

IPAC is the national accreditation body for Portugal. The directory of members provides details of organisations offering certification services for ISO 27001.

Cube 5

Cube 5

The Cube 5 incubator, located at the Horst Görtz Institute for IT Security (HGI), supports IT security startups and people interested in starting a business in IT security.

ACA Group

ACA Group

ACA Group are a leading governance, risk, and compliance (GRC) advisor in financial services.

OriginalMy

OriginalMy

OriginalMy is a cybersecurity startup, focussed on digital governance and information authentication. Its mission is to prove authenticity using state-of-the-art cryptography and blockchain technology

Aligned Technology Solutions (ATS)

Aligned Technology Solutions (ATS)

ATS manage, monitor, and maintain everything from your network and servers to your workstations and mobile devices, and we do it proactively to eliminate downtime and keep hackers at bay.

NorthRow

NorthRow

NorthRow provides digital transformation compliance solutions to help businesses manage regulatory and financial crime risks.

Paragon Cyber Solutions

Paragon Cyber Solutions

Paragon Cyber Solutions provides specialized security risk management and IT solutions to protect the integrity of your business operations.

Silent Push

Silent Push

Silent Push maps all internet-facing infrastructure with searchable, advanced attributes, generating early indicators of potential threats that are tailored to your environment.

FusionAuth

FusionAuth

FusionAuth is the customer authentication and authorization platform that makes developers' lives awesome.

Xmore AI

Xmore AI

Xmore AI, an emerging disruptor in our incubation, is building AI models to optimize and secure IT with the mission of increasing efficiency and reducing costs.

Sirar by STC

Sirar by STC

Sirar is an advanced technology and cybersecurity company established by STC, the MENA region’s ICT and digital services provider.