Normally we don’t publish articles meant for the insurance buying public, we focus instead exclusively on articles for insurance professionals. Today we are making an exception because Cyber is an emerging area that many insurance professionals don’t understand that well. This article does a great job of introducing Cyber.
Cyber Liability can seem confusing and overwhelming, but in reality, it boils down to a very simple concept:
If you require customers to provide their personal information in the course of doing business, you then become liable to protect that information from anyone.
It becomes easier once we break down two words from above:
Information: This can be interpreted as anything that can identify an individual. The most common examples are Credit Cards, Social Security Numbers, and Health Records. It also can extend to e-mail addresses, driver’s license numbers, and personal passwords.
Anyone: This is where things can get tricky. Most identify “anyone” to be hackers. In reality, “anyone” is anyone outside of your business network. This can be rogue employees that steal information, hackers that break into your systems, or the general public by accidentally releasing this information via paper or digitally.
Basically, any information about a person collected while doing business can create a liability for you and your business.
Can you identify some major exposures your business might have?
Here are two examples of Cyber Liability that do not involve a hacker:
- A school wanted to update their summer reading list for the students prior to Fall classes. They asked the administrator to copy and paste information from an excel file to the postcards and mail them to all of the students. The administrator did exactly that, but not realizing that each student’s social security number was included in spreadsheet and thus sent out to the public. This could result in a multitude of issues, including a lawsuit from the identified individuals (or their guardians)
- Two siblings inherited a small tax accounting business from their father. Since neither were involved in this industry, they decided to close the doors and clean up. They dumped all of the paper files into the outside garbage bin without shredding them. Someone was able to stumble upon this personal information and steal identities, resulting in financial problems and potential lawsuits for the siblings.
What does “liability” really mean?
- If customer’s personal information is lost or stolen, it now means that your company can be sued by those customers for losing their information. The amount of the suit will vary depending on the type of personal information and volume of customers impacted
- If credit card numbers are involved, your business will face legal action for all of the fraudulent charges racked up by the credit card companies. Consumers are not being held responsible for fraudulent charges, but rather the credit card companies are suing the businesses that are at fault of the breach.
- Lastly, your business can face fines and penalties for negligence from regulatory bodies.
Is there insurance available to protect businesses from this? Yes!
There is good and bad news when discussing Cyber Liability insurance:
Good News: There are insurance policies today that protect exactly for the risks mentioned above, and so much more! Coverage now includes protection for 1st party claims. These are losses that directly affect the insured, such as:
- Cyber Extortion: This is when your business network is held for ransom by a hacker. Hackers that gain entry into your systems can encrypt all of your files and promise to release them once you make payment to their account.
- Social Engineering: Someone is able to gain access to your network and trick accounting or upper management to transfer money to different accounts. The most common trick is an e-mail from the owner of a company is sent to accounting, demanding a wire transfer immediately to a new bank account.
- Public Relations: Costs associated with restoring a business’ image within the community based on the impact of a data breach.
- Customer Notification/Credit Monitoring: Almost every state has a specific law that deals with losing personal information. You must notify each individual affected by the rules of the state the customer lives in, not just by the state your business resides in. This can be very costly and is usual packaged with offering free credit monitoring to the customers that were affected.
- Data Recovery/Forensic Costs: In the event that your business data has been destroyed or a breach has occurred, the insurance will hire a Computer Forensic Specialist to retrieve your lost/damaged data as well as determine the effects of the breach to your systems.
Bad News: Cyber insurance is relatively new and quickly evolving. No two companies are offering the exact same products, and most companies are including limitations on coverage or amounts. You should have your Cyber Insurance reviewed annually as the market continues to offer new insuring agreements. A policy written 3 years ago might be obsolete compared to today.
If you are looking to purchase Cyber insurance it would be best to find someone that is well versed in the industry. I would seek for an agent that can easily describe each insuring agreement, compare them to other markets, and be able to explain your personal exposures dedicated to your industry.