KNOW YOUR RISKS, LIABILITIES AND POTENTIAL COVERAGE GAPS
According to the Identity Theft Resource Center, cyber security events increased by 27% in 2014 to reach 5,029 data breaches and as many as 675 million records compromised. Their scale and sophistication have led many organizations to conclude that their cyber-security programs don’t match the technological sophistication of today’s attackers.
“We’ve been in the denial stage for 15 years, but today's businesses are finally realizing that they have to do something, which includes both strengthening cyber security safeguards and employing the right cyber policy for their business,” said Arturo Perez-Reyes, Senior Vice President, HUB International. “Organizations are saying to themselves, ‘If Sony can’t stop the people who attacked them, what chance to do I have ?’”
Perez-Reyes suggests a 4-pronged approach to minimizing cyber risk: Avoid, Prevent, Mitigate and Transfer.
- Avoid cyber risks by making sure anything sensitive is encrypted, including employees' Social Security numbers, health care information, passwords, etc.
- Prevent intruders by deploying strong firewalls and intrusion detection systems as well as developing robust policies and procedures about document handling, storage and destruction. For example, get rid of personal information in a way that can’t be recovered, such as shredding paper files and deleting personal records, and smashing or acid-bathing hard disks.
- Mitigate your potential cyber risks by developing an incident response plan in advance. Don’t wait until a cyber security breach occurs to create a response and continuity plan. Speak with attorneys, put in place a notification vendor, and public relations firm to mitigate the financial impact on the company. Do table-top exercises annually.
- Transfer your risk by examining all vendor, cloud and partner contracts. Do liability agreements ensure that you receive indemnities from them should they cause a breach of your data? Are the damage caps too low for the potential losses? Have you demanded proof of insurance?
New Forms of Cyber Crime
Criminals are endlessly creative when it comes to monetizing breaches. They exploit easily guessed or re-used passwords, and human error. And more and more, they trick people into giving them money. For example, a new form of social engineering attack eludes most crime insurance policies. Hackers breach a computer and send fraudulent emails directing others—in the name of the breached victim—to pay them monies at new accounts. Who loses? Not the bank but rather companies with minimal internal controls and weak cyber insurance coverage.Mobile Devices Increase Business Risks
“If you’re a burglar, why go into a house that has an alarm if there’s one that doesn’t have an alarm,” said Abdelhamed Sadik, MBA, RPLU, CPCU, ARM, Vice President, Executive Liability Practice, HUB International Insurance Services. “Like a burglar, cyber criminals will take the path of least resistance. They’re looking for the organizations that don’t have proper security controls, policies and procedures in place.”
One of the most effective ways to determine if an organization has adequate controls is to complete an application for cyber insurance coverage. Using the application as a guide, your HUB risk broker can help determine if you have adequate internal controls and protection of individual information.
Not All Cyber Coverage is Created Equal
Companies should not assume that their business owner’s policy will cover a potential breach. General liability policies do not cover cyber security breaches. Crime policies do not cover spear phishing. Therefore, firms need specialized cyber insurance forms that provide liability as well as first-party coverage for breach expenses, regulatory investigation, non-physical interruption and extortion.
First-party expenses can add up fast, including breach-event expenses like notification required by law and credit file monitoring required by prudence. Should identity theft result, you will need to provide identity restoration services to victims and hire a privacy attorney to guide you through the complex legal landscape of laws and lawsuits. You will need to hire a data forensics team to identify where the breach occurred. You might need to cope with network extortion or reimburse for payments made under duress. You might face network business interruption that leads to a loss of income and extra expense. You might need to restore, recreate or recollect data that has been corrupted, altered or destroyed.
Following a breach, you will also face regulatory challenges. Although there are only a few federal laws on the books for data privacy — Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) and Children’s Online Privacy Protection Act (COPAA) — you will be dealing with 47 state laws as well as with their attorney generals and the Federal Trade Commission. Since most firms have workers’ compensation data and employees enrolled with health insurers, you are also likely to deal with federal and state healthcare laws such as HIPPA, Cash Management Improvement Act (CMIA) and their regulators: the U.S. Office of Civil Rights and Health and Human Services.
“Because it’s important to consider all first-party expenses, companies need stand-alone cyber coverage to be tailored to their industry, revenue size, number of records in their custody, and business size,” said Michelle Lopilato, Director of Cyber Risk Solutions, HUB International. “We typically find that small to mid-size businesses don’t have the resources for a full breach response so they typically need and want the insurance company to manage the claims process and assign vendors — privacy attorney, data forensics team, credit monitoring, PR firms — whereas the larger companies, with established vendor relationships may want to run the direction of the claim themselves, requiring more of a hands-off policy.”
Thus, businesses should work with a HUB specialist to identify exposures and tailor coverage to their specific organization so they buy the right cyber policy for their business and value chain. Lopilato recommends watching out for the following potential gaps when purchasing cyber coverage:
- Know your limits. Make sure you have regulatory coverage limits that match your specific business needs. For example, if your business has a healthcare exposure, HIPPA will govern any breach and drive remediation measures, defense and investigation costs and could produce expensive fines. As a result, it is critical that your insurance coverage not be limited. Some forms can extend limits by placing breach costs outside of the aggregate. Finally, ask yourself: How might a breach event affect third-parties and how much would you need to defend and pay damages?
- Understand any exclusions. Cyber policies often have exclusions for unencrypted mobile devices, like laptops, phones and backup tapes. Good brokers address exclusions by having clients improve controls and then arguing that insurers remove or narrow them. For example, clients can remedy unencrypted mobile devices to remove this exclusion mid-term.
- Examine your needs. Make sure you are purchasing coverage that matches your business risks. For example, if you have a website, you may need media and content liability for infringements of copyright and trademark. Similarly, if you sell a technology product or provide any kind of service, attending liabilities can be wrapped into a cyber policy. In this way, you save money over separate policies as well as avoid possible conflicts between insurers about insurance coverage issues.
- Compare potential breach costs to reimbursement payment plans. Cyber policies come in two flavors: duty to defend or duty to indemnify. The first is the most common. Insurers handle your defense. In some forms, they can also handle all of the incident response. The latter form allows you to manage the breach, defense and vendors. Some firms prefer this approach when they want to choose counsel or the IT response team.