The term Cyber-Insurance, Cyber Liability Insurance, Internet Privacy Liability coverage are all different words used to describe the broad Cyber coverage form. What is it? What does it cover? And, why may your business need it?
Let’s start with need.
It’s important to understand that most all businesses that have any form of personal information of employees and customers stored electronically have an exposure to loss that falls within the label of Cyber exposure. That exposure can be loss of information due to hacking – such as customer credit card information in the Target case; or complying with federal and state regulations on notifying customers when their personal information may have been compromised. These two potential risks can be the most financially devastating and neither requires that you be an e-commerce business to be exposed. Unfortunately the standard general liability and business umbrella policies do not cover these sorts of risks, so when it comes to “need” just about all businesses need protection from the fasted growing segment of hazard risk in business today, because the risk isn’t covered elsewhere.
To put some numbers around it, the average cost of a corporate data breach in 2012 was $5.4 million, and while that number includes some noteworthy losses, it also includes tons of smaller breaches as well. Also, we think of Cyber Risk as damages and destruction occurring at the hands of outsiders like hackers, and cyber criminals, but the policy also covers accidental damage, administrative and operational mistakes, and loss caused by your own employees and vendors! A recent survey by Chubb Insurance Company found that 59% of system breaches were caused by human error or system faults, the remaining 41% were malicious or criminal!
What is covered?
Cyber coverage is not a standardized policy form. Each insurer’s policy will differ from the next, but in most cases the policy will cover a combination of first-party (damages you directly sustain) and third-party coverages (damages sustained by others which you’re held legally liability for).
Here are the top 6 coverage features found on most policies:
- Loss of digital assets – Property insurance will cover damage to a computer, but when your data is hacked, stolen or destroyed, your property insurance will not pay for that loss. Customer lists, code, and data stored on computers or on the cloud can represent tremendous asset value for your business, and if destroyed by hackers or deleted by accident it’s not covered elsewhere. Think of the possibility of an employee opening a worm or virus in an email that shuts down servers and eats your data, or the possibility of a disgruntled employee deleting/destroying data, or carrying it out of your business on a thumb drive. Scary, but real possibilities.
- Business Interruption (non-physical) – When your business is shut down due to a covered loss like a fire, your business property policy should respond by paying your lost profit and ongoing expenses as you remediate your location. But, what happens when your suffer downtime from a hack, virus, or denial of service attack? If you run a website that is shut-down, how do you replace that revenue stream? Again, the standard business policy won’t cover this loss, but most cyber policies do.
- Notification Expenses – This is probably the biggest exposure for most businesses as almost every state (as well as the federal government) has regulations on notifications that must take place following a breach of a computer system. Under those laws you must notify all possible affected customers, employees, or others whose information may have been stolen, or breached, and offer them ongoing credit monitoring services. It’s estimated that those cost can run as high as $188 per record – if you had 10,000 records breached that’s $1.88 million in notification costs alone! Is it covered elsewhere? No, typically only the Cyber policy will respond to such a loss.
- Network Security & Privacy Liability – This section of the policy covers your potential liability (suits from third parties) arising from a breach of your network security or from a breach of privacy. Think about the potential costs of lawsuits from breaching a person’s (or group of peoples) right of confidentiality, or privacy, or corporate information breach. Network security claims usually flow from unauthorized access to your systems, denial of service attacks on your systems or others, or the spreading of malicious code from your systems. The potential for serious loss dollars is significant in this area.
- Electronic Media or Content Liability coverage – This part protects your company from claims arising from posting content on the web and social media which allege slander, infringement, defamation, etc. While some of those allegations are covered by the standard general liability (GL) form, that policy excludes coverage for businesses in the “publishing” business. While you may not think that your business is in “publishing”, the courts have ruled that blogging, posting to social media, and publishing a website constitute publishing activities, therefore excluding coverage on the GL policy and the reason for inclusion in the Cyber Liability form.
- Crisis Management & Reward Expenses – When a cyber-event strikes a company and sensitive data is compromised (whether it’s corporate records, client information, or employee information) there is a need to respond quickly and communicate effectively. This coverage part funds the costs of managing the “crisis” and in many cases gives you access to the insurance company’s panel of experts. The faster you can plug up the holes in your systems and communicate effectively the better off you will be financially.
- Then there are a variety of other coverage parts depending on the insurer’s policy form which may include one or more of the following: Cyber Extortion Threat coverage, Regulatory Investigation Expense coverage, Employee Privacy Liability coverage, Cyber Terrorism coverage, E-communication Loss coverage, Vandalism Expense coverage, and more.
What’s important to understand is that every policy form is different and can be customized to meet your specific needs. Some policies will permit purchase of just one coverage part; others may require all coverage parts be purchased. Other issues to look for are the limits of coverage per coverage part, the maximum or aggregate amount the policy will pay in any one loss or policy term, the policy deductibles/retentions and whether defense is paid for “inside” the limits of liability or in addition to the limits.
For more information on Cyber Liability Insurance for your business, please contact us using the contract form on this page, or calling 800-287-4115.