In 2017 organizations communicate at the speed of light in an effort to reduce friction points with clients while providing a user experience in step with the evolution of technology. The use of computers has made conducting business fast, efficient, and often more cost effective but it has also opened organizations up to new threats at an unprecedented level. There are no shortage of cyber horror stories experienced by organizations of all sizes highlighting the harm a data breach can inflict upon the two things that matter most which are profitability and reputation. From a ransomware attack against a public utility in Michigan to countless W-2 business email compromise scams targeting a variety of industries, no organization can escape the borderless span of the internet. Security professionals are aware that the threat landscape has evolved but the $7M question remains; has the approach to cyber liability insurance?
The cyber liability insurance options on the market today have little resemblance to the dot-com era offering of 2000. Legal defense and settlement of third party claims are only a fraction of the value provided. Cyber insurance in 2017 is not only about financial risk transfer but should serve as a critical component of the cyber risk management strategy offering the necessary vendor connections, first party resources, and can even be viewed as a strengthening of the IT department budget.
Many organizations, especially small to mid-sized enterprises (SME) believe they do not have anything of value that an adversary would want or believe they are not on anyone’s radar for an attack. This could not be further from the truth. The 2015 Verizon Data Breach Report revealed that in 70% of the attacks where the motive for the attack was known, there was a secondary victim. This means the initial organization was targeted as a way to advance a different attack against another victim. Small to mid-sized organizations can present a path to a more data rich target. Criminals are about opportunity and SME’s present favorable targets due to lack of IT infrastructure, security posture, security awareness of employees, and easy payouts from extortion demands. Strong risk management coupled with the right cyber insurance offering can keep an organization in business and operating in the black when a data breach occurs.
When evaluating cyber insurance options, it is important to understand that not all policies are created equal. There are variations of sub-limits, exclusionary wording, and insuring agreements as well as a range of resources that can be offered to policyholders. The following cyber-insurance checklist can be used for matching proper coverage with the needs of the organization. Appropriate limits for each insuring agreement should be based upon a number of factors such as industry sector, organization size, client base, type of data stored/processed, current available resources (access to security vendors, privacy attorney, consultants, etc.), appetite for risk tolerance, and evaluating how downtime could impact profitability, just to name a few. The following section breaks down critical cyber and privacy insuring agreements found within the marketplace today and what they can cover. These sections should be uniquely tailored to the needs of each organization. As you read on ask yourself this question, am I getting the most from my cyber insurance policy?
This insuring agreement will typically include hiring a team of specialists, investigators, or forensic auditors for the purpose of conducting a review or audit to substantiate that a network attack is occurring or has occurred. The goal is to determine the scope, cause, or extent of any theft or unauthorized disclosure of information or data.
Data Breach Event Costs:
This section of a policy will typically include credit monitoring services, credit repair and restoration costs, identity theft monitoring expenses, identity theft education and assistance, as well as call center expenses. In the event of a HIPAA related breach, this section can even extend to medical record scrubbing for affected individuals.
A basic but important coverage under a cyber-policy, this will address legal expenses, postage expenses, and related advertising expenses to mitigate brand damage or comply with governmental privacy legislation mandating notification to affected individuals. Make sure voluntary notification expenses are included in the event notification is not required by law.
This critical component of coverage can address the net income an organization would have earned had no outage or attack occurred. The cause of interruption should encompass both a malicious attacks as well as human error from an employee. A couple recent examples come to mind which address the importance of this coverage section. One such example was a router failure at Southwest Airlines that crippled many of the airlines software applications in 2016. The outage last for roughly 12 hours and caused nearly 2,300 cancelled flights over a five day timeframe. Estimated losses from this outage are $100M.
A second example that received a great deal of media attention was the 2016 Dyn attack. This attack involved multiple distributed denial-of-service attacks (DDoS attacks) targeting systems operated by Domain Name System (DNS) provider Dyn, which caused major Internet platforms and services to be unavailable to a large base of users in Europe and North America. Criminals deployed millions of internet connected devices such as cameras, printers, and other smart devices to launch an attack on a critical part of the Internet. The attack crippled the websites of major companies like Amazon, Netflix and Twitter for hours at a time.
It is important to note that this section will not typically extend to a business interruption loss if the disruption emanates from the computer infrastructure of an outsourced entity or third party service provider. That exposure can be addressed with what is referred to as contingent business interruption coverage.
Security & Privacy Liability:
This insuring agreement should offer legal defense and settlement costs pertaining to third party lawsuits arising from customers and financial institutions. Often, financial institutions will look to be reimbursed for card re-issuance costs and fraud charges resulting from a data breach along with class action lawsuits stemming from an organization’s affected consumers.
Multimedia & Intellectual Property Liability:
This section can address an organization's online presence. Defamation, libel, slander, piracy or misappropriation of ideas as well as infringement of copyright, trademark, domain name, title, or slogan could be picked up. This should also extend to the liability arising out of the organization's negligence in connection with the release of multimedia content in advertising.
In 2016 more than $1B of ransom payments were made by business and individual victims. This attack method is not going away and continues to plague organizations of all sizes in 2017. Failure to properly backup informational assets and provide employee awareness training will leave any organization vulnerable to this attack. This section of the policy should provide payment for the extortion demand.
This agreement within the policy should provide reimbursement for electronic theft of the organization's money, securities, or other assets. This should also extend to theft of money and securities of the company’s clients being disbursed, paid, corrupted, or lost from an account that is in the control of the company.
Business Email Compromise (BEC):
The FBI advises that the BEC scam has been reported by victims in all 50 states and in 100 countries. Reports indicate that fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong. The total U.S. exposed dollar loss from October 2013 to May 2016 totaled nearly $1B. This insuring agreement is usually separate from the typical computer fraud and often excluded as this involves an employee of the organization willfully making the wire transfer. This is social engineering at its best.
This is a critical component of coverage that can serve as a budget enhancement to the IT department. This insuring agreement could extend to the costs to restore, re–collect, or replace data, including expenses for materials, working time, and overhead cost allocation associated with restoring or replacing data. This can include the necessary costs and expenses for the use of rented or hired external equipment, services, labor, premises, or additional operating costs, even including staff overtime. Broad language will extend to other reasonable and necessary costs and expenses incurred directly as a result of a network disruption which encompasses a wide range of IT related necessities.
Regulatory Fines & Penalties:
The FTC serves as an enforcer for protecting personal consumer information from cyber-attacks and data breaches. The FTC can investigate companies and charge it with unfair trade practices for failure to protect customers from the theft of on-line data. The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) can also fine covered entities if HIPAA is violated. State and local government regulations continue to become more stringent as evidenced by the New York Department of Financial Services cyber security regulation. Failure to comply can mean costly fines and penalties hurting an organization's balance sheet.
PCI Fines & Penalties:
This insuring agreement can be confused with regulatory coverage however the PCI Security Standards council are not a regulatory body. In the event of a data breach involving payment cards, fines can be levied against an organization’s payment processors. These companies will likely pass on the fines to the business via the merchant services agreement to recoup their losses from the company’s “negligence.” An organization can expect penalties anywhere between $5,000 -$10,000 a month for violations of PCI compliance rules. If the organization experiences a data breach where cardholder data is compromised, expect $50-$90 fines per cardholder. Coverage should not only encompass fines and penalties but also fraud recoveries and the cost of having future assessments showing the company is now in compliance.
This section can look very different based upon the carrier offering terms. Some will only cover the costs of a public relations consultant to work with an organization to mitigate and address brand damage following a data breach. Other will take a much more robust approach and extend to the organization's future loss of net income due to termination of services contracts by clients or the reduction in the value of the business or brands. For a recent eye opening example of how this works look no further than the Verizon acquisition of Yahoo. An original acquisition price of $4.8B was agreed to prior to the two historic data breaches of 500M and then 1B compromised accounts coming to light. After much negotiation, the acquisition price and value of Yahoo was discounted $350 million. The right insurance and limits could have covered the difference or at least a portion of it.
Bodily Injury & Property Damage:
This is a very real and serious exposure for critical infrastructure, utilities, healthcare entities, and manufacturers. This coverage sections will likely needed to be added via endorsement. One such example of how property damage can emanate from a cyber-attack was evidenced by Stuxnet, a malicious computer worm that targeted industrial computer systems and was responsible for causing substantial damage to Iran's nuclear program in 2009. A second example was showcased in 2012 when 35,000 computers were partially wiped or totally destroyed at Saudi Aramco, one of the world’s largest oil companies. All it took to cause this widespread damage was for one of the computer technicians on Saudi Aramco's information technology team to open a phishing email and click on a link causing the infection.
Use this cyber insurance checklist as a guide to determine whether or not the options put before the organization resemble the highlighted items. Work with a specialist who will guide the process and bring real value and expertise for addressing risks. This checklist is a general overview of what each insuring agreement could look like. It is absolutely critical to thoroughly review the actual terms and conditions quoted as this list is not a replacement for that evaluation. Review exclusions and make sure the limits being provided for each insuring agreement are adequate for the exposures. Data breaches are inevitable in the connected world organizations’ operate within. The question in 2017 shouldn’t be whether or not cyber insurance was purchased to begin with but rather, was it the RIGHT cyber insurance.
About David Derigiotis
David Derigiotis is Corporate Vice President and Director of Professional Lines with the largest independent wholesale insurance broker in North America, Burns & Wilcox.