As cyber espionage and data breach threats escalate, new coverage strategies emerge to protect professionals from cyber vulnerabilities
When Yahoo announced a data breach in which at least 500 million accounts were compromised, it was big news, but hardly an isolated incident. That same week, hackers went public first with a picture allegedly of First Lady Michelle Obama’s passport, then with inside details on Vice President Joe Biden’s travel plans. And those incidents overshadowed other less widely reported cyber intrusions, most of which apparently were motivated by profit or politics.
People and businesses are intricately connected worldwide, with extraordinary amounts of personal data moving through cyberspace behind firewalls and other fortifications. Yet as breach-proof as those safety measures may seem, they are consistently compromised by increasingly sophisticated techniques, malware and maliciously directed human ingenuity. Therefore, losses are inevitable and mounting.
“The problem is especially acute for cyber professionals who develop applications and platforms, build and/or maintain systems and secure data,” says David Derigiotis, Corporate Vice President and Director, Professional Liability Center of Excellence, Burns & Wilcox, Corporate Headquarters. “A coding error or a deficiency in software that allows inappropriate wire transfers to come through is an errors & omissions exposure. Or if an app developer fails to build a product to the proper specifications or to discover a security flaw in a product that allows hackers to exploit it, that, too, is an E&O vulnerability.”
The vulnerability does not end there. Increasingly, liability is extending to the directors, officers and managers of organizations that suffer cyber attacks. Directors and officers are faced with lawsuits alleging they hired people or purchased equipment that proved inadequate to protect the data the organization collects. “They are even facing lawsuits alleging they were lax in establishing or enforcing practices to keep data safe or that they purchased cyber limits that were too low. These lawsuits are usually settled out of court with records sealed, so the alleged negligence may go largely overlooked,” says Michael Muglia, Underwriter, Professional Liability Center of Excellence, Burns & Wilcox, Corporate Headquarters. Still, these claims tend to be costly and many D&O policies do not adequately address the risk.
An Easier Sell
One bright spot amid the threatening clouds is a growing awareness of the need for tech coverage, especially among medical and retail organizations and universities. This heightened awareness often means a shorter sales cycle for these products; many clients are apt to consider investing in a policy the first time it is presented, says Karl Olson, Vice President, Professional Liability, Burns & Wilcox Brokerage, San Francisco, Calif.
A coding error or a deficiency in software that allows inappropriate wire transfers to come through is an errors & omissions exposure.
“Companies have Cyber & Privacy policies because they recognize the very real exposure for financial damage or reputational harm. However, brokers and agents must remain diligent in educating businesses on the prevalence of data breaches and the value of the data their businesses create and operate on,” says Olson. “It is not just cybercrime or distributed denial of service attacks.”
Olson provides brokers and their clients with the tools to navigate this complex coverage area. “We have put a lot of attention into building a network of deep resources so we can create a risk profile and identify, negotiate and present coverage in a client-ready format. We strive to make coverage relevant to clients so they will consider the proper risk transfer,” he says.
Rates are very competitive in the small to mid-size enterprise business, reflecting not only a drop in notification costs but a structural change in the services that deal with cyber assaults, observes Muglia. Colleges are starting to offer degrees in cyber security, increasing the supply of people equipped to prevent and handle breaches. More vendors offer forensic analysis and client notification, so competition is driving down the cost of these services. Also, the insurance market is competitive, with more than 60 carriers and MGAs offering cyber-specific forms.
The lower rates and wide availability of cyber policies can be a boon to businesses, but the abundance of markets handling cyber risks in different ways complicates purchase decisions. Today’s cyber policy is usually written on a standalone basis, rather than included in a package, but that is where the similarity ends.
These policies vary structurally in how they are written, what they cover, and the preventive and remedial services they provide to mitigate loss. Limits also can vary dramatically. Clients need guidance to understand the actual cyber risks they face and the mechanisms to address them. Often brokers do as well. “Wholesalers, MGAs and specialty providers, whatever the degree of complication, not only can provide coverage for organizations that need broad or specialized coverage or higher limits, but can also guide a broker through the selection and purchase process, whether clients have relatively simple or complicated needs,” explains Muglia.
Two Types of Exposure
Cyber and privacy risks can take many forms, but the coverages are generally divided into two main categories for insurance purposes:
- First Party: This blend of insurance agreements offers value to any policyholder long before a lawsuit is brought by an aggrieved client or regulator. Coverage can include forensics, drafting of notification letters, call centers costs and privacy attorney services. It can even extend to IT systems and data restoration in the event either is damaged. Coverage for business interruption losses, extortion demands and reputational harm can also fall under this broad category.
- Third Party: This section will respond to lawsuits brought against the policyholder in the aftermath of a data breach. Typical third-party claims may come from clients and financial institutions in addition to fines and penalties from state and federal agencies. Professional bodies such as the Payment Card Industry (PCI) also may levy fines in the event of a credit or debit card breach if the policyholder was found to be out of compliance with the group’s safeguarding standards.
Beyond monetary and reputational damage, hackers can potentially take over systems and cause bodily injury. This was demonstrated when, in the process of exploiting a system vulnerability, security researchers wirelessly hacked a Jeep Grand Cherokee and took over driving operations while it was moving. Hospitals, nursing homes and other places where patients depend on electronic devices run by computers have the same inherent bodily injury vulnerability.
Most cybersecurity events have a human component, where an employee unintentionally does something to trigger an incident, and once the malware or virus is activated, it quickly gains access to a company’s systems.
Within an hour, for example, a 2014 hack of Sony infected more than 3,000 computers and 800 networks within the company. But it gets worse. The hacked organization (in epidemiology terms) becomes “patient zero.” From there, the virus can quickly spread to other clients and vendors, essentially infecting everyone else the company does business with, according to Muglia.
One of the best investments an organization can make is the creation of a privacy awareness culture. There is still room for improvement by training staff to recognize phishing emails along with social engineering scams and to mitigate the damage once a breach is detected. Also, Muglia notes, a review of the internal access policy may be in order, as many organizations provide employees with access to sensitive data they do not really need, increasing the chances of expensive human error.
“Initially, insurance carriers were including Cyber Risk coverage with $50,000 limits within policies. The industry has started to migrate from sublimited add-on coverage in favor of stand-alone cyber policies with more robust limits to handle the increased sophistication and cost of cyber threats,” says Olson. The average data breach costs about $7 million—$221 per record—to resolve, according to the Ponemon Institute’s 2016 data breach study.
No “connected” organization is completely safe from cyber losses, so providing a dedicated stand-alone cyber product is critical. “Cyber coverage isn’t meant to be one-size-fits-all but rather should be tailored to address the needs and exposures of the specific business it’s designed to protect,” according to Branden Laxner, Senior Underwriter, Technology Professional and Cyber, Midwest Region, at Markel Direct. Key policy features may include extortion/ransomware, regulatory, social engineering, malware, business interruption, PCI assessments and notification costs. Cyber policies vary dramatically in terms of what they cover and the limits they provide, so it is essential to read and compare policies, he adds.
Markel partnered with Burns & Wilcox, an alliance that gives it underwriting authority for a cyber program that includes hard-to-find full limits for lost money and ransomware/extortion, with premiums as low as $1,000, notes Derigiotis.
For insureds, there are benefits to working with a broker and carrier who are familiar not only with the client’s business, but also with one another, according to Laxner. Because cyber claims tend to move at the speed of the Internet, strong communication between broker and carrier goes a long way toward successful resolution of a loss. Support is also crucial. Markel’s data breach claims team includes breach response vendors and coaches with experience in a wide variety of professional liability disciplines.
In today’s volatile environment, a strong cyber defense demands knowledgeable partners.