This article was published in the January 2016 issue of Wine Business Monthly.
When asked who should buy cyber insurance, one expert responded, “more companies than realize it.” The truth is, almost every company in the country collects its customers’ or its employees’ Personally Identifiable Information (PII) or Protected Health Information (PHI), and every company that is connected to the internet, in any way, is vulnerable to attack.
We have all heard of the large-scale attacks on Target, Home Depot, Anthem, even the IRS and the federal Office of Personnel Management. More recently, the Ashley Madison hack garnered quite a bit of publicity. The news generated by these cyber attacks made us aware of some of the types—and the amount—of our personal information other companies hold on to. This information includes such data as credit and debit card information, Social Security numbers, medical information, driver’s license numbers, bank account numbers, as well as non-PII, such as names and addresses. While names and addresses may not be sensitive on their own, this information can be when combined with other information (e.g., a Social Security number). Companies large and small routinely collect this data from customers and business partners, as well as from employees. As a result, it’s not just big companies that are targeted by these attacks.
Most attacks are made using the blind “shotgun” approach: hackers and spammers send out hundreds of thousands of phishing emails (“official” looking emails that trick the recipient into providing sensitive information) or emails that contain malware packets, such as either Trojan horses or viruses that surreptitiously install software on a computer to give the hacker access to a victim’s computer and system.
Additionally, many legitimate websites have become infected without their owners’ knowledge, and these websites can infect the computers of visitors. In 2013, Sophos Labs (a company that collects, correlates and analyzes data to detect and protect against new threats) found that each day, 30,000 new websites distribute malware to their visitors. While also replicating itself on the victim’s computer, some of this malware gives the hackers access to the servers, systems and networks the visitor’s computer is connected to. Sometimes, employees will create the exposure, either through accidental dissemination of information, misconduct or as part of a criminal enterprise.
Who is Responsible for Damages?
The law states that the company that collected the PII and/or PHI is responsible if the information is lost or stolen. Even though a company’s computer system is compromised, that company is still responsible for any lost or stolen PII and PHI. If a credit card processor is hacked and customer data is stolen, the company, not the processor, can be held responsible. If an employee accidentally sends PII or PHI to the wrong person, the company can be held responsible. Then, of course, if a system is brought down by malware or a denial of service attack, the business can’t operate.
The average total cost to a company that suffers a data security breach in 2013 was $5.9 million—about 15 percent higher than the previous year. This represents a cost of about $200 per stolen record. Nearly half of all data security breaches were caused by malicious or criminal attacks, and the other half resulted from human error or system glitches.
Insuring Against the Risk
Traditional insurance provides limited, if any, protection against cyber losses. Commercial General Liability (CGL) and Property policies are usually written on standard forms, and the coverage offered by one insurer is very similar to all other insurers. While they may provide some cyber coverage, these policies were written long before the concept of data security breaches and internet exposures were thought of. While some loss may fall within said coverage, insurers say that these policies were not intended to cover cyber losses. As the insurance industry adapts, however, it is changing the terms of standard CGL and property policies to exclude these cyber risks.
Insurers are steering their customers toward specialized cyber policies. These policies are relatively new and are designed to cover these emerging risks. They can provide very helpful coverage to companies. However—and very importantly—cyber insurance policies are written on non-standard forms. Each insurer’s form offers different coverages and restrictions. Additionally, the forms are lengthy, very complex and can be hard to understand. For these reasons, the help of a good knowledgeable broker or insurance coverage counsel is important to help you understand what a policy covers and what other options may be available.
Generally speaking, cyber policies typically cover first-party losses that arise from a data security breach. These include crisis management costs, forensic investigation costs, legal costs, notification costs and costs associated with providing affected customers with credit monitoring. Other first-party coverages available include business interruption (loss of profits caused by your business being unable to operate because of a cyber attack or other covered loss) and damage to your own computer hardware. Business interruption coverage is usually restricted to events where the cause of loss is on your own computer system (as opposed to an attack on one of your providers), though it may be possible to negotiate coverage for losses caused by one of your service providers being down as the result of an attack or data breach.
Cyber policies may also provide a defense against lawsuits that allege the loss of PII or PHI belonging to employees, customers or business partners. They also may provide coverage for regulatory investigations and fines. Just be aware of the limits. Unlike traditional GCL policies, defense costs under cyber liability policies are usually included in the limit, not in addition to them. All payments by the insurer, whether in the form of indemnity for first-party losses or for defense costs, will erode the policy limit.
Also, be aware of sub-limits applicable to many of the coverages in cyber insurance policies. The amount of coverage available for these losses may be significantly less than the face amount of the policy.
Until recently, the market for cyber insurance was competitive as insurers sought to gain a share of a growing market. There still is a fair level of competition in the market, but we’ve heard insurers becoming more stringent in their underwriting and charging higher premiums. Still, applications can be relatively simple. In some cases, insurers will just want to know about your computer systems and what safeguards you have in place. Some insurers will offer a discount if you have a security analysis of your system performed and agree to abide by the security company’s recommendations.
What to Look for in a Policy
Because insurers are competing for business, policy terms are sometimes negotiable. Because policies are non-standard, each insurer’s policy will provide slightly different coverages, and many are willing to change their forms in certain respects to gain your business. Issues to watch for that can sometimes be renegotiated into more favorable terms include:
Policy trigger: The third-party sections of different insurers’ policies can be triggered by events, losses, claims or suits. The trigger of a policy can make a huge difference to the coverage available. Negotiate for an “event” trigger if you can, which provides coverage from the moment it’s discovered that a “data breach” event has occurred. By way of contrast, a “suit” trigger doesn’t provide coverage until someone files a lawsuit against you. Sometimes a system will be compromised long before anyone realizes it or anything is stolen. If it’s determined that the attack happened before you bought your first cyber policy, the ensuing losses may not be covered. Retroactive coverage to cover such losses can sometimes be bought.
Breaches of third-party systems: Some policies don’t cover losses caused by attacks on third-party systems (such as credit card processors). This is usually a restriction hidden in the policy’s definition of “computer system” or “your system.” Some policies define these terms as just being the hardware on your own premises. Others provide a more expansive definition, to include networks your computers connect to. If you store PII or PHI in the Cloud or with a service provider, carefully evaluate these provisions and negotiate them, if necessary, to cover incidents occurring on your vendors’ systems.
Coverage territory and location of security failure: Some policies only cover loss of data occurring at your premises. All businesses have exposure from the systems they connect to and from service providers, such as credit card processors.
Additionally, you may have significant exposure from employees who travel with laptops, tablets and mobile phones. Employees on vacation have been known to leave phones in bars, taxis and on beaches. Negotiate coverage for data losses caused by loss or theft of such devices. Be aware that some insurers who claim to cover data breaches caused by the loss or theft of such devices also have an exclusion that takes away coverage if the data wasn’t encrypted.
Indemnity agreements should be considered as part of your company’s cyber risk management review. Small wineries typically don’t have any real market power when dealing with service providers such as credit card processors or third-party sales handling services. Even if a service provider’s contract does promise to indemnify you for your losses caused by their data breach, be aware that an indemnity is only worth the price of a sheet of paper if the assets behind it are not sufficient. Any provider who has suffered a data breach will likely have a lot of customers that rely on similar indemnity agreements. It may not have the resources or the insurance limits to cover all its liabilities.
Rather than exclusively rely on indemnity agreements, the better approach for your company may be to negotiate the broadest coverage possible on your own cyber policy. Your insurer will have the right to subrogate against the service provider if it thinks it was responsible for a loss and, in the meantime, will provide resources for you to minimize the damage to your own business.
If your company does suffer a loss where customer or employee data is stolen or compromised, tell your insurer as soon as you can. Laws regarding who to notify of a data breach—and when—are complex, and the relevant law regarding notification is the law of the state in which the “victim” resides. Currently, 47 states have their own notification laws, most of which somewhat differ from each other. Europe also has its own laws. Expert advice is required to deal with this legal maze. Insurers have teams of expert resources available to deal with these issues, as well as access to PR experts and forensic inves¬tigators with experience in dealing with cyber security breach situations. Companies that suffer cyber attacks sometimes engage their own experts first, trying to get a cap on the situation. Without prior insurer approval, those costly expenditures might not be covered.
Finally, keep an eye on all your insurance policies. Policy form wording and coverages are changing rapidly, and what’s covered today may not be in next year’s renewal. Conversely, new coverages may be available next year that aren’t available now.