Insurance coverage for cyber exposures has been evolving since the 1990s. It is only in the last few years the beginning of standard policies and controls for underwriting have begun to take shape. Considering your coverage should start with an understanding of risks, some of which we outlined in A Business Introduction to Cyber Liability. Once a business owner understands some basics of exposure and regulations consider how insurance can help mitigate that risk.
There are two victims with interests in a cyber liability case: the individual victim whose information was breached/stolen and the entity that was breached. In cases of copyright and intellectual property theft usually the business is the only party directly effected. In its 2011 Report, Verizon reported that of the attacks investigated, “92 percent were not highly difficult” and “96 percent of breaches were avoidable through simple or intermediate controls.”
Have you considered if your standard Commercial General Liability, Commercial Property, Umbrella liability, fidelity/crime, kidnap, ransom, and extortion policies cover you in instances of cyber crime and data breach? A staggering number of both small and large organizations falsely assume so. In the last decade the following limitations have been added to the standard Insurance Services Office, Inc. (ISO), CGL policy.
Image may be NSFW.
Clik here to view.
To date, there is no standard policy form in use industry-wide. This makes it double important to work with a professional who can assist you in determining the right coverage for your exposure. Let’s focus on a partial list of liability considerations.
Necessary Information Coverage Ensure coverage includes all electronic data as well as all physical (paper, laptop, portable disk, personal digital assistant (PDA), etc.) breaches. Over 300 laptops are lost or stolen daily in US airports. All of these media are subject to breach notification laws and therefore present an exposure. Coverage should include both personal (Identifying, medical and other personal information) and corporate information, which can also be costly for the insured. Different policies will only cover employee data or customer information. Bottom line: try to purchase the broadest coverage fitting your risk exposure.
Third Party Liability The focus of this coverage is to cover liability arising from violations of privacy and data breach notification laws. These policies may also include coverage for a number of other types of liability, such as liability from transmitting a computer virus to another party or from copyright infringement included in the insured’s website. It is important to pay attention to the prior acts date included in the policy, keeping it as far in the past as possible. More than half of all breaches take weeks or months from the date of first compromise to discovery.
Accidental vs. Criminal Loss Look for a policy that covers accidental losses in addition to when you are a victim of criminal activity. Remember the statistic on laptops?
PCI Compliance Requirements The issue with PCI compliance comes up often for small business. PCI compliance is a standard set for your practices when transacting business through credit cards and the like. Remember that PCI compliance is an ongoing state. A positive result from a review shows only a snapshot in time. When a breach occurs, almost by definition, your company is not “compliant.” Beware of warranties outside the policy form. Some insurers’ applications contain PCI warranties.
Care, Custody or Control Given there are a number of grey areas caused by an insured’s daily activities you want to ensure your policy either avoids this clause or is explicit on coverage. Usually this clause states that only data in the ‘care, custody and control’ of the insured is covered. As an example, what about information stored in a cloud computing location. What about medical records being transported to a long-term storage facility by a vendor?
Don’t accept an “insider” exclusion ’Nuff said. By some estimates about half of data breach and cyber crime occurances are perpetrated by employees. According to Verizon’s 2010 data breach survey that number is around 48%. Coverage should include occurances due to insider activity.
Avoid encryption requirements Here’s the problem with an insured being required to encrypt all data for coverage to apply. Information on laptops, PDAs, and other devices is not encrypted. Password protection is not considered encrypted. Paper files, which fall under the same privacy and protective regulations are not encrypted.
So should you simply assume that eliminating social media use among employees will end your exposure? Fair to say that more monitoring of employees is needed, or it’s time to encourage customers to pay with cash or check only? Not on your business’s life.
There are more issues to consider when determining your level of exposure, how to mitigate those risks and then how and what coverage to purchase. Working with a professional who understands this process is key. Waiting for fate or bad luck to educate you could cost you your company.
Image may be NSFW.
Clik here to view.
Scott Graves is passionate about helping business owners. Tune in to his show ‘The No Boundaries Radio Hour’ with co-Host Dennis Mannone on the No Boundaries Radio Network. Meet him at the crossroads between strategy and innovation at scott@smgravesassociates.com or twitter @smgcreative.