Back in 1992, most business people didn’t know what a website was, let alone a cyber liability insurance policy. Today, issues arising out of data security, management of confidential information and infringement of intellectual property rights are all considered major exposures.
Interconnectivity has dramatically escalated the opportunity for catastrophic loss. Since 2005, more than 263 million data records of U.S. residents have been exposed to security breaches, according to the
Privacy Rights Clearinghouse.
Risk Analysis
To protect against serious cyber crime, first perform a risk analysis, which involves identifying assets or circumstances that could give rise to a loss. Potential losses include a company’s data and the costs to restore it, defend against or settle a third-party claim, cyber extortion, notify individuals whose personal information may have been compromised, pay for credit monitoring for those individuals (if required by law) as well as damage to reputation.
Nearly every state requires businesses that compromised an individual’s information to notify that individual. One study of larger companies estimated the cost of a data breach at $204 per compromised record. The same study calculated the average cost of a data breach at $6.75 million.
Risk Control
After identifying the exposures, determine how to lower the likelihood or severity of a cyber liability claim. In simple terms, the key is to centralize IT management and develop enforceable policies and procedures across the company’s network. These policies and procedures must be periodically checked to ensure they are being followed. In the event of a suspected or actual breach, it is important to take action as soon as possible. If necessary, notify a specialist that focuses on IT security.
Is the Risk Insurable?
Insurance can play a role in reducing the frequency and severity of cyber liability exposures. Although the
Insurance Services Office created a standard policy in November 2009, most of the policies on the market today are unique to the company offering the coverage. Because of this, every policy needs to be evaluated to ensure it addresses the exposures each company faces.
These policies include first-party and third-party coverages. First-party coverage indemnifies the firm for the costs incurred to repair or replace damage caused by a covered peril; third-party coverage includes the cost to defend against and settle a third-party claim, including regulatory actions.
These policies commonly include coverage for the following exposures:
- Website publishing liability. This coverage protects a company from liability arising out of information posted on its website, which could include actual or alleged misstatements, copyright or trademark infringement, or violation of a person’s right to privacy.
- Security breach liability. This covers liability arising out of a security breach or transmission of a computer virus to a third party. A security breach occurs if an unauthorized person accesses the personal information of someone else, or if an authorized person uses the information inappropriately.
- Programming errors and omissions liability. This protects a company’s legal liability arising out of actual or alleged programming errors that result in the disclosure of a client’s personal information.
- Replacement or restoration of electronic data. This first-party coverage indemnifies a company for the cost to replace or restore data or programs that are damaged or destroyed as a direct result of a computer virus or similar bug designed to damage, destroy or corrupt the firm’s computer system.
- Extortion threats. This reimburses the insured for extortion expenses and ransom payments incurred as a direct result of an extortion threat. Typically, these threats focus on introducing a virus or malicious code, or publishing clients’ personal information.
- Business income and extra expense. This provides coverage for the actual loss of business income and the extraordinary operating expenses incurred as a result of a cyber incident or extortion threat.
- Public relations expense. Cyber liability incidents can create bad press. This covers the costs of a public relations firm to help the insured protect or restore its reputation subsequent to a cyber liability incident.
- Security breach expense. Expenses incurred to notify others that their personal information has been compromised can be significant. This coverage reimburses the insured for those costs, including overtime salaries paid to employees who deal with the issue, fees for a company hired to operate a call center, post-event credit monitoring services and other reasonable expenses.
What Does It Cost?
Costs vary dramatically depending on the type and volume of information on file. Because cyber liability is a relatively new coverage, no adequate database exists to calculate rates. Most companies offering the coverage price their programs based on what they believe the exposure to be. Prices for smaller firms (fewer than 50 employees) probably will be in the $1,000 to $10,000 range. Larger firms should expect to pay $15,000 to $25,000.