E-risk. Data and network security. Cyber liability. There are as many names for insurance that covers privacy and Internet liability as there are insurance companies.
In general, “cyber” is a catchall phase referring to use of computers, the Internet, networks and electronic data, says Jan O’Rourke, CPCU, RPLU, ARM, assistant vice president and director of client services – specialty division at ECBM.
“I don’t know of any responsible business that would operate without standard insurance coverage — general liability, auto, workers’ compensation and property — to protect the business against financial loss, and possibly ruin,” O’Rourke says.
“With the evolution of computer usage, cyber exposures are growing rapidly. For many businesses, their chance of a loss occurring due to a ‘cyber’ type claim is greater than a loss covered by standard coverage,” she says. “Yet many executives don’t seem concerned about the risk, and still don’t think they need cyber coverage.”
Smart Business spoke with O’Rourke about cyber risks and how insurance has become necessary to cover this exposure.
Do general liability policies provide any kind of cyber coverage?
Years ago, some cyber coverage could be found under the general liability and property policies. Those days are gone. Most insurance companies have added specific exclusions to eliminate any chance of coverage for cyber claims. The exclusions wipe away any doubt about coverage.
Who and what is at risk?
Any business that uses computers, stores personally identifiable data (even if only for employees), communicates electronically and maintains a website or social sites, among other functions, has a risk exposure.
Risks include third-party liability arising from failing to safeguard confidential private information of others, damage to another party’s computer network, infringement or personal-injury-type offenses communicated electronically, regulatory fines and penalties — such as payment card industry compliance, HIPPA and other federal and state regulations — and the cost to defend any of these allegations.
Also, a company that has a cyber attack faces first-party losses, such as the costs to notify persons affected by a privacy breach, including notification, credit monitoring and other services; crisis management event expenses; the cost to restore the computer system and network; and the loss of money, securities or other property from the computer fraud or fraudulent funds transfers. Additional expenses could come from e-commerce extortion, the loss of income due to computer systems not operating, and the costs for experts, forensic, legal or others needed after a breach or other incident occurs.
A 2012 cost study of 137 cyber breaches by NetDiligence found that an average breach cost $3.7 million, ranging from $2,000 to $76 million. The average cost per record was $3.94, with an average of 1.4 million records exposed in a breach.
How can companies benefit from cyber coverage?
One of the most important benefits is not payment of the loss; it is access to the insurance company’s expertise, including assistance after a loss occurs. The carrier knows the laws in each state regarding how notification must be handled, such as whom to notify and in what time frame. It has access to cost-effective legal, forensic and other specialists.
The insurance company also offers access to specialized websites that provide tools, tips and resources to prevent a cyber loss in the first place. Just reading the questions while filling out the application for this insurance provides food for thought.
It’s important to note that the only standard thing about the insurance market for cyber coverage is the fact that every insurer offers a completely different product. Cyber insurance premiums vary more than any other insurance line — as low as a few hundred dollars for the most basic extension to a policy, up to more than several hundred thousand dollars for the largest companies in high-hazard industries, such as health care, education and financial institutions.
You’ll need to utilize the expertise of your risk manager and/or insurance broker to analyze your specific business exposures and recommend the appropriate, broadest coverage for you. ●
Jan O’Rourke, CPCU, RPLU, ARM, is an assistant vice president and director of client services – specialty division, at ECBM. Reach her at (610) 664-8299, ext. 1210, or [email protected].
Insights Risk Management is brought to you by ECBM