Recently, a top insurance industry trade magazine featured a cover story on cyber coverage, where it raised the question: “Is it the new ‘must-have’ coverage?” If it is the new “must-have” coverage, what is it exactly?
All businesses, except the lemonade stand on the corner, utilize various degrees of automation. Client information is no longer stored in metal file cabinets or locked desks. If a business is automated, then it is susceptible to a threat that could breach its systems, its data and its reputation among its clients.
Virtually every business today could be affected if something were to happen to its Internet technology applications, databases or computer systems. In the modern age, everyone works in a technology bubble. Cyber-liability coverage is becoming as important as general liability, commercial auto and fire insurance. Current and potential business owners need to consider this coverage as much as they would consider any other aspect of their business.
What is Cyber Liability?
Cyber liability can be broken down into two different categories and two different types of coverage. The first type is cyber liability, which covers wrongful acts or illegal activity (i.e., professional errors; the risks of doing business on the Internet; and working with a network system). This type of coverage includes data privacy wrongful acts coverage (i.e., when a business inadvertently transmits a virus to another business).
Cyber liability also covers content and media wrongful acts (i.e., when a business illegally uses or obtains images, or posts information on a website); and Internet protocol wrongful acts (i.e., when a business uses a given address for reasons outside of business purposes).
Recent surveys found that more than 50% of all cyber liability wrongful acts involve a rogue employee, which reinforces the need for businesses to have a fully developed and documented security plan. When there is a loss, because of the reporting requirements, companies lost an average of $234,000 per breach in 2009, according to a report by the Computer Security Institute.
The second category or type of coverage is cyber-terrorism/extortion. This differs from cyber liability because it involves the use or abuse of the information. Cyber-terrorism/extortion can be broken down into different categories.
The first category is personal information warfare, which provides coverage for computer-based attacks on individuals’ personal data. It may involve disclosing or corrupting confidential personal information (i.e., medical or credit files).
The second category, corporate information warfare, offers coverage for industrial espionage or disseminating misinformation about competitors over the Internet. Lastly, global information warfare provides coverage for a country’s critical computer systems against those who may want to disrupt the country by disabling infrastructure systems (i.e., energy, communication or transportation systems).
Implications of Losses
Now that they have been defined, what are the implications of each coverage? There are two types of implications – the direct-cost implication and the indirect-cost implication. The direct-cost implications include: crisis management expenses; loss of sales, staff time, network delays, intermittent access for business users during the disruption (a business interruption caused by a cyber breach is excluded from a standard general liability policy); increased insurance costs due to litigation; loss of intellectual property; and costs of credit monitoring.
According to the Ponemon Institute’s Annual Cost of a Data Breach study, the average cost of data breach in 2009 was $204 per record. For example, if a cyber attack breaches 5,000 client records, it will cost a business more than $1 million to monitor and notify the clients whose records were breached or exposed.
The indirect costs include: loss of confidence and credibility in a company’s financial systems; tarnished relationships and public image, strained business partner relationships – domestic and internationally; loss of future customer revenues for an individual or group of companies; loss of trust in the government and computer industry; and loss of trust in the business.
What Can You Do?
To help lessen the likelihood of a cyber attack, a business should consider the following:
- Conduct regular background checks of employees in sensitive positions
- Install audit features that monitor logon and logoff activities
- Provide warnings that unauthorized users may be subject to monitoring and prosecution
- Develop a trap and tracing mechanism with local telephone companies and implement systems that identify outside callers
- Report significant security breaches to relevant government agencies
- Implement policies and guidelines regarding the use of computing and information resources by employees
- Encourage employees to use encryption technologies if appropriate
- Implement security upgrades when they become available
Curious about what you can do to prevent Cyber Crime?
It has been estimated that more than a million companies rely on the Internet for more than 50% of their corporate business. Cyber-liability coverage has now become a necessity for every business that stores private information. Now is the time to talk with your insurance advisor and consider your options with regard to adding cyber-liability coverage to your business insurance program.
For additional information and resources to help you manage your risk of a cyber attack or data breach, download our eBook today.
Portions of this article reprinted with permission from PIA.