Cyber - Privacy Breach Insurance at a Glance
First-party coverage available includes:
- Forensic investigation. Covers the legal, technical or forensic services necessary to assess whether a cyber attack has occurred, to assess the impact of the attack and to stop an attack.
- Business interruption. Covers lost income and related costs where a policyholder is unable to conduct business due to a cyber event or data loss.
- Extortion. Provides coverage for the costs associated with the investigation of threats to commit cyber attacks against the policyholder's systems and for payments to extortionists who threaten to obtain and disclose sensitive information.
- Computer data loss and restoration. Covers physical damage to, or loss of use of, computer-related assets, including the costs of retrieving and restoring data, hardware, software or other information destroyed or damaged as the result of a cyber attack.
- Theft: Covers destruction or loss of the policyholder's data as the result of a criminal or fraudulent cyber event.
Third - party coverage includes:
- Litigation and regulatory. Covers the costs associated with civil lawsuits, judgments, settlements or penalties resulting from a cyber event.
- Regulatory response. Covers the legal, technical or forensic services necessary to assist the policyholder in responding to governmental inquiries relating to a cyber attack, and provides coverage for fines, penalties, investigations or other regulatory actions.
- Notification costs. Covers the costs to notify customers, employees or other victims affected by a cyber event, including notice required by law.
- Crisis management. Covers crisis management and public relations expenses incurred to educate customers concerning a cyber event and the policyholder's response, including the cost of advertising for this purpose.
- Credit monitoring. Covers the costs of credit monitoring, fraud monitoring or other related services to customers or employees affected by a cyber event.
- Media liability. Provides coverage for media liability, including coverage for copyright, trademark or service mark infringement resulting from online publication by the insured.
Darting for cover: the pros and cons of cyber insurance
They will be rubbing their hands in glee,” says Ann Bevitt, head of law firm Morrison & Foerster’s London privacy and data security group.
Bevitt isn’t quoting the chief of MI6, Sir John Sawers, who claimed recently that whistleblower Edward Snowden’s leaks would aid terrorists. Instead, she says, the ones who could reap the biggest rewards from the ongoing hysteria over mass surveillance, rising cyber threats and regulatory changes, are insurers.
But according to several top law firms, UK organisations are not yet insuring themselves against data breaches.
“In our experience, the vast majority have not insured themselves against such risk,” says Vinod Bange, partner at law firm Taylor Wessing.
Indeed, Richard Cumbley, a partner at Linklaters, believes that cyber insurance policies are less popular now than they were three years ago.
“I have had clients report to me that they have found the exclusions of these policies so great that it doesn’t make them very valuable; the premiums may be outweighing the losses recovered in the EU,” he says. In other words, organisations found that their premiums were more than the payouts they received under their policies, when it came to making a claim.
This contrasts with the US, where a recent survey from security software firm Symantec found that data recovery costs are higher than in the EU and, therefore, perhaps current insurance policies are more skewed towards the US market.
US take-up of cyber insurance has been steadily growing as a result of security breach notification laws that have been enacted in most US states since 2002, Jamie Bouloux, head of cyber products and liability at insurer AIG, explains.
“US businesses became much more concerned about dealing with privacy and identifying issues around large datasets of their subjects going missing or being stolen [after the new notification rules came in],” Bouloux says.
AIG has been underwriting cyber insurance for 13 years, and a year and a half ago it rolled out the product across the EU, EMEA and Asia Pacific.
The timing couldn’t have been better, with proposed EU regulations set to include fines for breaches of up to two per cent of global annual turnover – which could cost big corporations millions of pounds. For some, two per cent is not nearly enough.
“It is really scary for businesses in the EU because now there is talk of a fine [for data breaches] of up to five per cent of annual worldwide turnover, up from the two per cent that was stated. Either way it will make every organisation stop and think because that is huge, and this is likely to drive growth in insurance,” says Bevitt.
AIG can see that growth coming as a result of the new regulation, just as it did in the US a decade ago.
The insurance would be a “secure safety net”, Taylor Wessing’s Bange claims, as firms will be more exposed and not be able to sweep incidents “under the carpet”, which would in turn lead to reputational damage.
But Linklaters Cumbley argues that, for now, companies’ compliance teams should focus on staff training rather than taking out insurance, as he believes most data breaches involve some kind of human failure.
Bevitt, meanwhile, argues that organisations must also raise awareness among employees of external threats from hackers or disgruntled former employees. “However good your policies are in minimising risks, it won’t get around the significant risks that come from an external source,” she says.
Does insurance lead to complacency?
AIG’s Bouloux dismisses the notion that organisations that take out cyber insurance will use it as an excuse to relax their internal data governance practices.
“We’ve partnered with a company called Risk Analytics to offer internal training to clients around data security, data breaches, encryption, email safety and so on, so that if something happens when a client loses data, they can tell the regulator that they did everything within reason to try to ensure that there was an environment of security where its employees knew how to handle client information,” he says.
“Being able to prove that they weren’t negligent could save organisations millions in the long-run,” he adds.
ouloux says that companies would be more likely to try to raise cyber security awareness in the workplace and offer training to staff because it affects the pricing of the insurance policy.
“It affects the limit we’re willing to be putting out to risk; we want to see an organisation that has got a healthy understanding and approach to the security threat by employing the right technology, risk management, disaster recovery and training in place. These are huge aspects of the underwriting process. They shouldn’t look at it as an easy way out or they’ll become uninsurable,” he explains.
Organisations that are multinational, or that have customers and staff in other jurisdictions would see the cost of an insurance policy rising too, due to added complications, but Bouloux says that those that move data into the cloud wouldn’t have to fork out more money.
“We’ve built that into our policy because we realise that outsourcing is the reality for organisations today. It’s included in the liability piece and we cover the first-party associated costs with an optional extension, which we tend to sublet because we are underwriting the clients and not their outsourcing providers. As organisations tend to have many providers it becomes difficult to manage them all from an aggregation perspective,” he says.
But much of the cost depends on who the outsourcing service provider (OSP) is and what service it is that they are providing for the organisation.
“If you get a big name such as Amazon or IBM that is one thing. But there are a lot of players entering the space, especially in Eastern Europe or India, who have unproven track records and there are concerns about organisations moving to those types of OSPs. So we’re asking firms who their OSPs are and making sure we understand what the OSP provides,” says Bouloux.
AIG has teamed up with law firms Cameron McKenna, Norton Rose, and consultancy KPMG to offer clients a “data breach response service” whereby it provides legal and forensic experts who can help to identify and fix security vulnerabilities, as well as deal with regulators and any affected data subjects.
In the event of a breach, AIG can also offer clients a “crisis consultant” to handle the PR and mitigate reputational damage. It then works with the outsourcing service provider to identify exactly what data is missing and come up with a plan going forwards.
So do the cloud providers themselves buy cyber insurance?
“They don’t buy cyber insurance as much as they come to us to buy professional indemnity insurance. The reason mid-market SMEs are interested in cyber insurance is because they enter contracts with OSPs that have very limited liability, and then they don’t have the ability to sue because the contract states they are entitled to a month’s fee which could be £50, and the cost to the organisation is potentially £100,000,” Bouloux explains.
Although insurance costs can vary quite significantly for different types of companies, Bouloux says the “run-of-the-mill risk model” is worth £100,000 in indemnification for an annual premium of £400. However, premiums can amount to hundreds of thousands of pounds, he adds.
But deciding to purchase such insurance is the easy part, according to Seth Berman, UK head of risk management and intelligence firm Stroz Freidberg.
“The cyber security insurance market is in its infancy. As a result, there is very little consistency with the market about what is covered and what is excluded, and very little knowledge among potential buyers about what kind of coverage they need,” he says.
Berman advises organisations to undertake a thorough investigation of digital assets and vulnerabilities “in order to both minimise its risks and intelligently purchase insurance against those risks that cannot be eliminated”.
And perhaps, if the cyber insurance market does grow in the UK and Europe following the new regulations, new types of policies may be created. For example, UK firms could take on a common element that Japenese organisations include in their cyber insurance policies.
“They have a notion of ‘apology money’, so if someone’s data goes missing, we would offer monetary compensation – almost like a coupon – to apologise for the loss of the data,” says AIG’s Bouloux.
Why You Need Cyber Liability Insurance
Cyber hacking is big business, and no one is safe. Not individuals, not small businesses and not large corporations. All of your data including the names of your customers, their contact information and the social security numbers of your employees are valuable information to a cyber-hacker. Unfortunately, your business and standard property insurance does not cover your most important asset, but cyber liability insurance does.
Even a business interruption insurance policy will not come to your rescue if your systems fail because of a malicious employee, computer virus or a hack attack. Identity theft, telephone hacking and phishing scams are very real possibilities and not covered by traditional business interruption policies. Cyber insurance will cover for loss of profits because of a system outage that is caused by a non-physical peril such as a virus or attack.
You can be held liable if you lose your third party data. You may offer non-disclosure agreements and commercial contracts that contain warranties about security. If your data is breached, you could have expensive damage claims. There are severe penalties for losing credit card data. Merchant service agreements mean that you will be responsible for the expenses of forensic investigations, credit card reissuance costs and the fraud conducted on the stolen cards. Cyber insurance will protect you against most of these expenses that could run into hundreds of thousands of dollars.
In the U.S., most states have breach notification laws, and other countries are following suit. To comply with these laws takes time and money in the event sensitive personal date is lost. Written notification needs to be sent to those individuals who have been affected. Even if there is no law yet, a reputable company that protects its brand will provide breach notification. Cyber insurance could also cover regulatory fines or penalties.
Social media sites expose information at light-speed with little control. Your business site as well as your employee’s activity on these sites can trigger liability, if your business is responsible for the sites. Defamatory statements, leaked information and copyright infringement can all be covered with a cyber insurance policy. It may also cover the cost of a public relations firm to repair any damage done to your brand. It is becoming more and more likely that your business reputation will suffer from a cyber security breach. Losing the trust of your customers can be much more damaging than the financial loss you will incur to repair the effects of the breach.
When you look into cyber insurance, make sure all instruments are covered including laptops and mobile phones. Portable devices make it much easier to store and lose information. For example, a missing USB stick, a stolen iPad or a laptop left in a taxi are all real possibilities and, for a hacker, a goldmine. There are viruses being built just to attack mobile devices. Cyber insurance will cover stolen, lost or virus infested mobile devices. You can work with your insurance provider to integrate cyber liability insurance with your regular business insurance and employment liability policy.
A good insurance carrier will help you with risk management. It is in their best interest to make sure you have all the protection in place that is possible. They can make sure a firewall in in place to protect the network and help you select social media policies that reduce risk. Even if your data is stored in the cloud, you are still liable for breach. You cannot control how a cloud provider handles your data, and they do make mistakes. Your cyber insurance will protect you from this.
Large corporations may have risk management budgets, but small companies usually don’t. They may not have the financial means to not only pay for the fees and lawsuits that come with privacy breach or data loss, but also to stay afloat throughout the process. Most hack attacks target businesses with less than 250 employees.
Cyber liability insurance has been available for about 10 years. However, it is very rarely purchased. The data and information of a business is worth much more than the equipment on which it is stored. This will change as insurance companies understand the risk responsibilities and consumers understand the risk transfer benefits.
Read more at