Cyberinsurance is becoming a viable product for a lot of insurance companies and a must-have for businesses. Business clients need to know that the vendors they choose can protect their customer information. Unfortunately, information online is never going to be completely safe. As with all new products, cyberinsurance brings with it a host of unanswered questions.
Cyberinsurance: Protecting Against the Inevitable
Cyberinsurance Covers Major Liabilities
When a business suffers a loss, the first place it turns is the insurance policy. In the case of cyber attacks and data breaches, the traditional general liability coverage will not help. The Center for Insurance and Policy Research lists nine cyber risks
- Identity theft as a result of security breaches where sensitive information is stolen by a hacker or inadvertently disclosed, including such data elements as Social Security numbers, credit card numbers, employee identification numbers, drivers’ license numbers, birth dates and PIN numbers.
- Business interruption from a hacker shutting down a network.
- Damage to the firm’s reputation.
- Costs associated with damage to data records caused by a hacker.
- Theft of valuable digital assets, including customer lists, business trade secrets and other similar electronic business assets.
- Introduction of malware, worms and other malicious computer code.
- Human error leading to inadvertent disclosure of sensitive information, such as an email from an employee to unintended recipients containing sensitive business information or personal identifying information.
- The cost of credit monitoring services for people impacted by a security breach.
- Lawsuits alleging trademark or copyright infringement.
The Center points out that actuaries have a hard time quantifying the risk because they lack data. Many insurers instead rely on qualitative assessments based on policies and procedures. If an organization has a strong compliance portfolio, many of the risks that the insurers outline will have already been addressed during the assessment stage making it easier to underwrite the policies.
In order to make the right decision about the coverage, the company needs to focus its coverage on its biggest risks. The Center addresses seven types of liability coverage that might be available.
- Liability for security or privacy breaches. This would include loss of confidential information by allowing, or failing to prevent, unauthorized access to computer systems.
- The costs associated with a privacy breach, such as consumer notification, customer support and costs of providing credit monitoring services to affected consumers.
- The costs associated with restoring, updating, or replacing business assets stored electronically.
- Business interruption and extra expense related to a security or privacy breach.
- Liability associated with libel, slander, copyright infringement, product disparagement, or reputational damage to others when the allegations involve a business website, social media or print media.
- Expenses related to cyber extortion or cyber terrorism.
- Coverage for expenses related to regulatory compliance for billing errors, physician self-referral proceedings and Emergency Medical Treatment and Active Labor Act proceedings.
These coverages can help protect the company from the business costs associated with a breach. In order to purchase the best coverage, an organization needs to look at it compliance portfolio and controls. Comparing those to the potential liabilities in the event of a breach can help determine the best return on investment for cyberinsurance coverage.
Cyberinsurance Does Not Cover All Events
Unlike car insurance which is straightforward, cyberinsurance is likely to be an evolving field of coverage. This evolving market means that insurance companies have not yet determined how to word their policies to best protect themselves from unintended payouts. The emergent risks are currently unquantifiable meaning that those purchasing cyberinsurance need to review their policies carefully.
Most importantly, an organization needs to understand not just what is covered, but it needs to pay close attention to the exclusions in the policy. Common coverages include crisis management and identity theft responses, cyber extortion and malware, data asset recovery and restoration, and business interruption. Lisa Monti at the Mississippi Business Journal writes, “Common exceptions in policies include those for claims arising from unencrypted portable electronic devices, intentional acts of employees, cyber terrorism, Acts of God and security lapses that could have been prevented.”
It’s important to note here that while cyber extortion and malware are common coverages, cyber terrorism is a common exclusion. While the distinction might be made that a cyber terrorist works through the network for a political purpose and cyber extortion works via email to obtain money, these definitions may overlap in the months and years to come. With the distinctions unclear, there is likely a world of coverage litigation about to open up helping to navigate these coverages.
For organizations trying to maximize their investment in cyberinsurance, understanding the specific risks associated with the business becomes more important. Cyberattacks not only cause damage to the infiltrated business, but they often affect the organization’s customers due to the interconnectedness of modern business. When reviewing the proposed policy, a company may want to make sure that all third-party liability coverages match business needs.
The Internet of Things Impacts Cyberinsurance
Liability coverage generally incorporates physical injury to tangible property, bodily injury, and product recalls. An IoT manned cyber attack may implicate any of these coverages or even all three. Depending on the type of attack and the manner through which the attack is conducted, the allegations of a complaint could implicate multiple coverage areas. For example, as Ken Lynch discussed, a ransomware attack through a medical IoT could lead to bodily injury or death. In the event of an attack on an electric grid that is conducted through IoT the National Law Review notes
The potential defendants in the resulting class actions could well include: the owner of the infrastructure, the operator, the manufacturers of the devices through which the attack was made, developers of the control system software, developers of the security software providing firewalls and malware protection, and any other designer of those devices. Multiple defendants translates to expensive litigation. (Expensive investigations by regulators are also likely to follow in many industries.) When these defendant-insureds turn to their cyber policies for defense and indemnity coverage, they may well hear from their insurers that the alleged bodily injury and property damage liabilities are excluded based on coverage-defeating interpretations of policy language not drafted with these issues in mind.
Attempting to obtain coverage for cyber attacks under general liability policies will create a morass of lawsuits, similar to those surrounding asbestos and environmental claims in the 1980’s/1990’s. These lawsuits will attempt to distinguish between language and intent taking time and money to settle.
Cyber insurance, therefore, offers an option that can help the organization manage its cyber risk loss. For those who produce IoT devices or are the target of an IoT attack, the current scope of coverage is both uncertain and ambiguous. Limitations on the coverage can be negotiated, but the organization first needs to recognize what their insurance profile looks like across coverage lines.
Beyond that, when thinking in terms of third-party IoT coverage, an organization will need to determine whether the coverage available incorporates an appropriate loss scenario. This means that prior to purchasing and negotiating the coverage, the company should look at the potential losses an IoT attack might cause to ensure that deductibles and self-insured retentions make sense in light of the current risk profile.
Cyberinsurance Does Not Absolve a Company of Its Responsibilities
Cyberinsurance is increasing in importance. A September 2016 survey by the Risk and Insurance Management Society found 80% of companies bought cybersecurity policies. The biggest issues in cybersecurity remain those arising from the human factor.
Social engineering preys upon the company’s employees, tricking them into sharing data. Social engineering can take the form of links, videos, or pictures shared in emails or on social media. In addition, phishing scams can trick employees by looking like a trusted resource while accessing the work stations with malware or ransomware.
Cyberinsurance coverage can help against monetary losses arising out of data breaches. It can protect against libel arising out of a breach. It can protect against business interruption. It cannot, however, protect against employee mistakes. Prevention is still the most important step when it comes to minimizing risk.
Information Security Compliance Can Help Cyberinsurance Outcomes
As the cyberinsurance market matures, underwriters are getting a better handle on how to write for the losses. Max Perkins gets into the mind of an underwriter noting, “Supplemental applications look at data encryption tools, network segmentation, and point of sale systems, if there is exposure to credit card details. Please keep in mind that presenting best in class data privacy controls will help you obtain better quotations from underwriters.” If an organization wants to obtain the best quote for a cyberinsurance policy, having a strong compliance stance is one step in the right direction.
Moreover, strong controls can help support a filed claim. Insurance companies will first look to see if the organization was negligent, thus removing coverage. Since this negligence in these areas is currently ambiguous, the company may need to rely on its compliance stance to prove due diligence and obtain better claims outcomes in the event of needing to file a claim.
To learn how ZenGRC can help document compliance in the event you need to use it when filing a cyberinsurance claim, read our ebook Compliance Consolidated Objectives.