Planning for the brave new world of cyber risk management—Why you should assess your vulnerabilities and evaluate the cost/benefit of adopting cyber risk management best practices, including cyber liability insurance

3383538729_6a817a8cfb_zIn 1984, the computers used in business were, for the most part, non-networked mainframe computers running a limited number of programs.  In 2004, networking of computers was becoming more common and the internet had opened an entire new world of data that could be mined (legally or illegally).  In 2014, businesses are confronted with an even wider set of risks presented by the ubiquitous nature of the smart phones carried by their employees.  These devices often contain sensitive business information or are merely a few clicks away from accessing company secrets saved in the cloud or on company computers.

Almost every business today uses a computer system to manage its finances and billing, store customer information, communicate with clients, store confidential client data, and manage human resources information.  Some businesses, like law firms and medical care providers, even store medical records that are subject to heightened security standards.

What are most businesses doing to protect themselves from data theft or accidental disclosure of confidential information?  Unfortunately, the answer is:  nothing other than maintaining traditional business insurance policies that often do not address these risks and even where they do provide coverage, the limits are insufficient to provide any real protection should the business experience a data breach.

This is why every business needs to consider investing in a specific Cyber Risk Insurance Policy.  In 2011, John Moccia of Innovation Guard identified six areas that any respectable cyber risk policy should address:

  1. Data Loss & System Damage– Your current property policy covers damage to the computer itself – but not the data stored on them.  Doh!
  2. Business Interruption – Loss of Revenue from downtime after a hack, denial of service, or a virus that causes a temporary or long-term shutdown in your operations.
  3. Notification Expenses – Almost every State has notification requirements – your company must disclose any breach to parties whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.  You may also have to provide ongoing credit monitoring.  This could generate significant expenses to your organization.
  4. PR/Crisis Management – You’ve experienced a security breach, been out of business for a week, notified thousands of clients and vendors of the breach…better do some spinning Stat!  Hire a PR firm to minimize the damage to your brand.
  5. Content Liability – Anything associated with the content of your website, blog or other web presence from copyright and other IP claims to slander to invasion of privacy.
  6. Regulatory Investigation Expense – With the new notification laws having been enacted and privacy legislation constantly changing, there is always the chance that you could get a knock on the door from a friendly civil servant.  Most policies exclude governmental or regulatory investigation costs.  Bummer.  Make sure your cyber policy includes it.

James Willhite of the Wall Street Journal wrote an article published August 13, 2013, which outlined why more and more CFO’s were evaluating purchasing cyber risk policies for their businesses.  Willhite reports, “As businesses become more interconnected and technology-dependent, demand for cyber insurance is expected to grow.  Insurers say what they offer is the protection against the very measurable costs that follow a breach. Those include the forensics required to analyze a breach, regulatory requirements to alert customers when their data have been exposed, credit monitoring for affected customers and, often, litigation costs from class-action lawsuits in the wake of a breach.”

Peter J. Beshar, EVP and general counsel of the Marsh & McLennan Companies, explained in Corporate Counsel magazine’s January 22, 2014 issue that “at the simplest level, cyber policies cover out-of-pocket costs from data breaches, such as notification of affected persons, credit monitoring and the operation of call centers. Cyber coverage can also respond to loss of revenue and additional expense created by network interruptions or IT outages—essentially a business interruption claim. Moreover, coverage can be obtained for acts of terrorism, extortion over control of networks and reimbursement for data restoration.  As with any insurance, it is important to review key exclusions. For example, many policies exclude harm resulting from the improper collection of data and place limitations on coverage for fines and penalties from regulatory actions. In addition, networks typically must be down for eight to 12 hours before lost income will be covered. Finally, companies should review how other coverages—such as property, crime and general liability policies—intersect to avoid gaps in coverage.”  Read more.

How much do these policies cost?  The premiums vary by provider, size of the company seeking coverage and the scope of coverage sought.  See pricing examples provided here.  In an April 13, 2014 posting, Christine Marciano lists some actual examples:

Healthcare SaaS Provider (startup)

Revenue:  $1.5million
Limit: $5 million
Premium: $30,420

Electronic Health Records (EHR) Provider

Revenue: $5 million
Limit: $1 million
Premium: $8010

Healthcare IT Consultant

Revenue: $150k
Limit: $1 million
Premium: $3298

Psychologist’s Office

Revenue: $1 million
Limit: $1 million
Premium: $1600

Online Retailer

Revenue: $500,000
Limit: $1 million
Premium: $1100

Doctor’s Office

Revenue: $1.7 million
Limit: $1 million
Premium: $1800

Fast Food

Revenue: $15 million
Limit: $1 million
Premium: $9000

Hospital

Revenue: $170 million
Limit: $5 million
Premium: $42,000

DataStorageCenter

Revenue: $15 million
Limit: $20 million
Premium: $120,000

If you watch the news, you realize that businesses can no longer ignore the risks that exist as a result of our increased reliance upon technology and the large volume of sensitive data that is available through business networks.  This brief post only scratches the surface of this rapidly expanding area in risk management.  Should you wish to explore this area more deeply, I recommend visiting the web site maintained by the United States government – through the Department of Homeland Security – which can be found here.  The National Protection and Programs Directorate (NPPD) began exploring the limitations in the cybersecurity insurance market in 2012.  Through a series of workshops in 2012 and 2013, stakeholders from insurance carriers, risk managers, information technology experts, infrastructure operators and academics identified four “pillars” to an effective cyber risk culture:  (1) Engaged Executive Leadership; (2) Targeted Cyber Risk Management and Awareness; (3) Cost-Effective Technology Investments Tailored to Organizational Needs; and (4) Relevant Information Sharing.  The summary of the findings and detailed reports can be found here.

We encourage all our clients and potential clients to evaluate whether their businesses are keeping up to date with information technology best practices.  Chances are you will find at least some areas where you can improve data security without breaking the bank.

Image by Holly Jalopy licensed under CC BY 2.0