Cyber - Privacy Breach Insurance at a Glance
First-party coverage available includes:
- Forensic investigation. Covers the legal, technical or forensic services necessary to assess whether a cyber attack has occurred, to assess the impact of the attack and to stop an attack.
- Business interruption. Covers lost income and related costs where a policyholder is unable to conduct business due to a cyber event or data loss.
- Extortion. Provides coverage for the costs associated with the investigation of threats to commit cyber attacks against the policyholder's systems and for payments to extortionists who threaten to obtain and disclose sensitive information.
- Computer data loss and restoration. Covers physical damage to, or loss of use of, computer-related assets, including the costs of retrieving and restoring data, hardware, software or other information destroyed or damaged as the result of a cyber attack.
- Theft: Covers destruction or loss of the policyholder's data as the result of a criminal or fraudulent cyber event.
Third - party coverage includes:
- Litigation and regulatory. Covers the costs associated with civil lawsuits, judgments, settlements or penalties resulting from a cyber event.
- Regulatory response. Covers the legal, technical or forensic services necessary to assist the policyholder in responding to governmental inquiries relating to a cyber attack, and provides coverage for fines, penalties, investigations or other regulatory actions.
- Notification costs. Covers the costs to notify customers, employees or other victims affected by a cyber event, including notice required by law.
- Crisis management. Covers crisis management and public relations expenses incurred to educate customers concerning a cyber event and the policyholder's response, including the cost of advertising for this purpose.
- Credit monitoring. Covers the costs of credit monitoring, fraud monitoring or other related services to customers or employees affected by a cyber event.
- Media liability. Provides coverage for media liability, including coverage for copyright, trademark or service mark infringement resulting from online publication by the insured.
Darting for cover: the pros and cons of cyber insurance
They will be rubbing their hands in glee,” says Ann Bevitt, head of law firm Morrison & Foerster’s London privacy and data security group.
Bevitt isn’t quoting the chief of MI6, Sir John Sawers, who claimed recently that whistleblower Edward Snowden’s leaks would aid terrorists. Instead, she says, the ones who could reap the biggest rewards from the ongoing hysteria over mass surveillance, rising cyber threats and regulatory changes, are insurers.
But according to several top law firms, UK organisations are not yet insuring themselves against data breaches.
“In our experience, the vast majority have not insured themselves against such risk,” says Vinod Bange, partner at law firm Taylor Wessing.
Indeed, Richard Cumbley, a partner at Linklaters, believes that cyber insurance policies are less popular now than they were three years ago.
“I have had clients report to me that they have found the exclusions of these policies so great that it doesn’t make them very valuable; the premiums may be outweighing the losses recovered in the EU,” he says. In other words, organisations found that their premiums were more than the payouts they received under their policies, when it came to making a claim.
This contrasts with the US, where a recent survey from security software firm Symantec found that data recovery costs are higher than in the EU and, therefore, perhaps current insurance policies are more skewed towards the US market.
US take-up of cyber insurance has been steadily growing as a result of security breach notification laws that have been enacted in most US states since 2002, Jamie Bouloux, head of cyber products and liability at insurer AIG, explains.
“US businesses became much more concerned about dealing with privacy and identifying issues around large datasets of their subjects going missing or being stolen [after the new notification rules came in],” Bouloux says.
AIG has been underwriting cyber insurance for 13 years, and a year and a half ago it rolled out the product across the EU, EMEA and Asia Pacific.
The timing couldn’t have been better, with proposed EU regulations set to include fines for breaches of up to two per cent of global annual turnover – which could cost big corporations millions of pounds. For some, two per cent is not nearly enough.
“It is really scary for businesses in the EU because now there is talk of a fine [for data breaches] of up to five per cent of annual worldwide turnover, up from the two per cent that was stated. Either way it will make every organisation stop and think because that is huge, and this is likely to drive growth in insurance,” says Bevitt.
AIG can see that growth coming as a result of the new regulation, just as it did in the US a decade ago.
The insurance would be a “secure safety net”, Taylor Wessing’s Bange claims, as firms will be more exposed and not be able to sweep incidents “under the carpet”, which would in turn lead to reputational damage.
But Linklaters Cumbley argues that, for now, companies’ compliance teams should focus on staff training rather than taking out insurance, as he believes most data breaches involve some kind of human failure.
Bevitt, meanwhile, argues that organisations must also raise awareness among employees of external threats from hackers or disgruntled former employees. “However good your policies are in minimising risks, it won’t get around the significant risks that come from an external source,” she says.
Does insurance lead to complacency?
AIG’s Bouloux dismisses the notion that organisations that take out cyber insurance will use it as an excuse to relax their internal data governance practices.
“We’ve partnered with a company called Risk Analytics to offer internal training to clients around data security, data breaches, encryption, email safety and so on, so that if something happens when a client loses data, they can tell the regulator that they did everything within reason to try to ensure that there was an environment of security where its employees knew how to handle client information,” he says.
“Being able to prove that they weren’t negligent could save organisations millions in the long-run,” he adds.
ouloux says that companies would be more likely to try to raise cyber security awareness in the workplace and offer training to staff because it affects the pricing of the insurance policy.
“It affects the limit we’re willing to be putting out to risk; we want to see an organisation that has got a healthy understanding and approach to the security threat by employing the right technology, risk management, disaster recovery and training in place. These are huge aspects of the underwriting process. They shouldn’t look at it as an easy way out or they’ll become uninsurable,” he explains.
Organisations that are multinational, or that have customers and staff in other jurisdictions would see the cost of an insurance policy rising too, due to added complications, but Bouloux says that those that move data into the cloud wouldn’t have to fork out more money.
“We’ve built that into our policy because we realise that outsourcing is the reality for organisations today. It’s included in the liability piece and we cover the first-party associated costs with an optional extension, which we tend to sublet because we are underwriting the clients and not their outsourcing providers. As organisations tend to have many providers it becomes difficult to manage them all from an aggregation perspective,” he says.
But much of the cost depends on who the outsourcing service provider (OSP) is and what service it is that they are providing for the organisation.
“If you get a big name such as Amazon or IBM that is one thing. But there are a lot of players entering the space, especially in Eastern Europe or India, who have unproven track records and there are concerns about organisations moving to those types of OSPs. So we’re asking firms who their OSPs are and making sure we understand what the OSP provides,” says Bouloux.
AIG has teamed up with law firms Cameron McKenna, Norton Rose, and consultancy KPMG to offer clients a “data breach response service” whereby it provides legal and forensic experts who can help to identify and fix security vulnerabilities, as well as deal with regulators and any affected data subjects.
In the event of a breach, AIG can also offer clients a “crisis consultant” to handle the PR and mitigate reputational damage. It then works with the outsourcing service provider to identify exactly what data is missing and come up with a plan going forwards.
So do the cloud providers themselves buy cyber insurance?
“They don’t buy cyber insurance as much as they come to us to buy professional indemnity insurance. The reason mid-market SMEs are interested in cyber insurance is because they enter contracts with OSPs that have very limited liability, and then they don’t have the ability to sue because the contract states they are entitled to a month’s fee which could be £50, and the cost to the organisation is potentially £100,000,” Bouloux explains.
Although insurance costs can vary quite significantly for different types of companies, Bouloux says the “run-of-the-mill risk model” is worth £100,000 in indemnification for an annual premium of £400. However, premiums can amount to hundreds of thousands of pounds, he adds.
But deciding to purchase such insurance is the easy part, according to Seth Berman, UK head of risk management and intelligence firm Stroz Freidberg.
“The cyber security insurance market is in its infancy. As a result, there is very little consistency with the market about what is covered and what is excluded, and very little knowledge among potential buyers about what kind of coverage they need,” he says.
Berman advises organisations to undertake a thorough investigation of digital assets and vulnerabilities “in order to both minimise its risks and intelligently purchase insurance against those risks that cannot be eliminated”.
And perhaps, if the cyber insurance market does grow in the UK and Europe following the new regulations, new types of policies may be created. For example, UK firms could take on a common element that Japenese organisations include in their cyber insurance policies.
“They have a notion of ‘apology money’, so if someone’s data goes missing, we would offer monetary compensation – almost like a coupon – to apologise for the loss of the data,” says AIG’s Bouloux.
Cyber-insurance: Mitigating the dreaded Friday night phone call
Why cyber-insurance may be necessary and the difference between different coverages?
Every in-house counsel dreads the telephone call on a Friday evening that starts with the words “I’m glad I found you.” That’s especially true if that telephone call informs the in-house counsel about the newly terminated IT department employee who was able to access the company’s confidential data systems 30 minutes before his access was deactivated. At that point, in-house counsel knows she is in for a long weekend and weeks or months of investigation, mitigation and possibly recriminations. Of course, there are two more questions that may be forgotten in this moment of crisis but will be asked soon enough: “How much will the investigation and remediation cost?” and “Who pays?”
Add to our example an additional twist: Our in-house counsel breathes a sigh of relief when she is told that the company’s security team has determined that the ex-employee introduced a virus that was intended to damage the company’s systems but that it failed to do any damage. Problem solved, correct? Unfortunately, even if there is no damage, the company could still incur significant costs as a result of the breach. In most circumstances, IT security departments will require a review of all of the major systems to confirm that the virus did not in fact infiltrate any systems and cause latent damage or a cybersecurity breach. Such an investigation can be extremely costly. At least one study has determined that the average cost to resolve an actual or potential cyber-attack is approximately $600,000. These costs can include forensic and investigative activities, assessment and audit services, crisis team management, and communications internally to executive management and board of directors and possibly externally to shareholders or the public.
While in-house counsel and the company’s IT security team are dealing with the immediate impact of a breach and beginning to plan for the longer-term response, a key aspect that should be at the top of the “to-do” list is to contact the company’s internal and external insurance coverage counsel and representatives. In order to maximize coverage, companies need to make sure that not only have they made a claim within the time limits required, but also that they are responding to the breach consistent with the requirements of their insurance policies.
Most companies typically have traditional insurance policies that may cover cyber risks, including commercial general liability (CGL) coverage. CGL policies generally cover the company against liability for claims alleging “bodily injury” and/or “property damage” and also against liability for claims alleging “personal injury” and/or “advertising liability.” Insurers typically argue that “cyber” risks are not intended to be covered under CGL policies, but insureds have had some success in pursuing coverage for cyber risks. Insurers have begun to constrict CGL policy language in an effort to preclude coverage for losses arising from data breaches. In order to specifically cover the risks associated with cyber breaches, and to protect the company’s balance sheet, companies are looking toward cybersecurity insurance.
Insurance companies are currently offering cybersecurity insurance policies that protect businesses from Internet-based risks, and more generally from risk relating to information technology infrastructure and activities. While cyber-insurance coverage is relatively new to the market, the types of coverage are typically divided between first-party coverage, which protects the policyholder itself, and third-party coverage, which protects against the claims of a third party against the policyholder.
First-party cybersecurity policies may provide coverage for:
- The costs associated with determining the scope of the breach and taking steps to stop the breach;
- The costs of providing notice to individuals whose identifying information was compromised;
- Public relations services to counteract the negative publicity that can be associated with a data investigation;
- The costs of responding to government investigations;
- The costs of replacing damaged hardware or software;
- The costs of responding to parties vandalizing the company’s electronic data; and
- Business interruption costs.
Third-party cybersecurity policies may provide coverage for:
- Liability for permitting access to identifying information of customers;
- Transmitting a computer virus or malware to a third-party customer or business partner;
- Failing to notify a third party of their rights under the relevant regulations in the event of a security breach; and
- Potential “advertising injury,” i.e., harms through the use of electronic media, such as unauthorized use or infringement of copyrighted material, as well as libel, slander, and defamation claims.
There is also specific cyber-insurance for privacy breach incidents. This insurance could pay for the immediate response to the breach to stop the damage, reimburse the costs of replacement of hardware or software, and the costs to investigate the scope of the breach. This insurance could also pay for the costs of providing notice to people whose information was disclosed, and may even have preferred companies that it favors for providing that notice. Business interruption costs may also be covered, as well as reimbursement for the costs of responding to investigations or work to counteract negative publicity.
While our in-house counsel probably can’t save her Friday night plans, proper planning on the part of the company can reduce the monetary harm and other risks of actual or even potential cybersecurity breaches. Companies should seriously consider purchasing cybersecurity insurance and, in so doing should consider first and third-party coverage, data restoration costs and coverage for regulatory actions.
Why You Need Cyber Liability Insurance
Cyber hacking is big business, and no one is safe. Not individuals, not small businesses and not large corporations. All of your data including the names of your customers, their contact information and the social security numbers of your employees are valuable information to a cyber-hacker. Unfortunately, your business and standard property insurance does not cover your most important asset, but cyber liability insurance does.
Even a business interruption insurance policy will not come to your rescue if your systems fail because of a malicious employee, computer virus or a hack attack. Identity theft, telephone hacking and phishing scams are very real possibilities and not covered by traditional business interruption policies. Cyber insurance will cover for loss of profits because of a system outage that is caused by a non-physical peril such as a virus or attack.
You can be held liable if you lose your third party data. You may offer non-disclosure agreements and commercial contracts that contain warranties about security. If your data is breached, you could have expensive damage claims. There are severe penalties for losing credit card data. Merchant service agreements mean that you will be responsible for the expenses of forensic investigations, credit card reissuance costs and the fraud conducted on the stolen cards. Cyber insurance will protect you against most of these expenses that could run into hundreds of thousands of dollars.
In the U.S., most states have breach notification laws, and other countries are following suit. To comply with these laws takes time and money in the event sensitive personal date is lost. Written notification needs to be sent to those individuals who have been affected. Even if there is no law yet, a reputable company that protects its brand will provide breach notification. Cyber insurance could also cover regulatory fines or penalties.
Social media sites expose information at light-speed with little control. Your business site as well as your employee’s activity on these sites can trigger liability, if your business is responsible for the sites. Defamatory statements, leaked information and copyright infringement can all be covered with a cyber insurance policy. It may also cover the cost of a public relations firm to repair any damage done to your brand. It is becoming more and more likely that your business reputation will suffer from a cyber security breach. Losing the trust of your customers can be much more damaging than the financial loss you will incur to repair the effects of the breach.
When you look into cyber insurance, make sure all instruments are covered including laptops and mobile phones. Portable devices make it much easier to store and lose information. For example, a missing USB stick, a stolen iPad or a laptop left in a taxi are all real possibilities and, for a hacker, a goldmine. There are viruses being built just to attack mobile devices. Cyber insurance will cover stolen, lost or virus infested mobile devices. You can work with your insurance provider to integrate cyber liability insurance with your regular business insurance and employment liability policy.
A good insurance carrier will help you with risk management. It is in their best interest to make sure you have all the protection in place that is possible. They can make sure a firewall in in place to protect the network and help you select social media policies that reduce risk. Even if your data is stored in the cloud, you are still liable for breach. You cannot control how a cloud provider handles your data, and they do make mistakes. Your cyber insurance will protect you from this.
Large corporations may have risk management budgets, but small companies usually don’t. They may not have the financial means to not only pay for the fees and lawsuits that come with privacy breach or data loss, but also to stay afloat throughout the process. Most hack attacks target businesses with less than 250 employees.
Cyber liability insurance has been available for about 10 years. However, it is very rarely purchased. The data and information of a business is worth much more than the equipment on which it is stored. This will change as insurance companies understand the risk responsibilities and consumers understand the risk transfer benefits.
Read more at