Cyber Security and Liability Insurance: Stand-Alone Cyber Policies On The Rise

After companies began electronically storing sensitive business and customer information, the insurance industry focused heavily on privacy protection.  Businesses began implementing breach defenses and response protocols in an effort to avoid or mitigate the effects of having personal health information, financial information, trade secrets, or intellectual property stolen or used without authorization.  In many cases, hackers held the information hostage and demanded payment of a ransom (“ransomware attacks”) in order to release the information and not expose it to the public.  Breaches in privacy protection cause other expenses related to notification, data recovery, public relations management, reputation damages, and others.  Thus, cyber insurance became a popular line of coverage offered by insurance companies.  Now, with cyber-attacks getting increased media attention, the insurance industry has broadened coverage for cyber security and cyber liability into more areas than just privacy protection.

Businesses are learning that cyber breaches do not just affect privacy protection; they can also interrupt business and cause property damage.  The most common course of action when a breach is noticed is to stop operations.  When systems shutdown, so does the flow of goods and services.  When the flow of goods and services stops, money stops coming in.  With regard to property damage, many, if not most, businesses now rely on some form of computer-controlled regulation in their buildings.  For example, it is common to have a building’s heating and air conditioning set on an electronically-stored schedule.  If, however, the heat does not turn on when it’s supposed to, water lines can freeze.  If there is water in the pipes, that too freezes and, when the ice expands, it can cause the pipes to break, releasing water into the building.  As another example, consider factories that rely on computer-controlled cooling fans.  If they are stopped, machines overheat and start fires.  These kinds of losses are notable particularly because they do not require activity on the part of a sophisticated hacker.  Rather, human error and technical glitches can cause these losses.

Hence, new lines of insurance coverage are popping up in the marketplace.  Cyber coverage for business interruption and property damage are starting to be offered as umbrella coverage over property, kidnap, and ransom policies.  Stand-alone cyber policies are also being offered.  However, the market is young and maturing.  Policyholders need to review and re-review their policies to ensure proper wording for issues such as cyber extortion, business interruption, contingent business interruption, and cyber property-related coverage.  To keep premiums low in a time when cyber breaches regularly make front-page news (Equifax, Home Depot, etc.), businesses should be ready to demonstrate breach-readiness, such as the establishment of incident response teams, as well as internal and external cyber security controls.

Cyber Attacks: Prepare, Prepare, Prepare

A cyber attack is any incident in which sensitive, confidential information is stolen or used by unauthorized individuals.  Cyber breaches may involve the theft or unauthorized use of personal health information, financial information, trade secrets, or intellectual property.  The consequences of a successful attack may include embarrassment, bad press, loss of business, loss of huge amounts of money – whether by theft or through the payment of ransoms (“ransomware attacks”), civil penalties, and even criminal prosecution.

When a breach occurs, companies spend enormous amounts of money hiring forensic investigators to figure out what was breached, who did it, the type of information accessed, and the extent of the damage.  They spend even more money determining how the breach happened, and what steps are needed to defend against future attacks.  Finally, they are forced to pay monitoring firms for years to come in order to protect customers from any future damage, protect the company brand, and reestablish trust with current and potential clients.

It is essential that corporate executives and owners make cyber security a priority in both planning and budgeting. While responding to a breach is expensive, the true cost to the company cannot be measured in dollars and cents. Tech-savvy customers want to know that their personal and/or financial information is safe from the rest of the world.

To instill confidence in potential customers (and avoid paying the costs associated with cleaning up a cyber spill), companies need to have a gameplan in place before a breach ever occurs.  The establishment of incident response teams is a vital first step.  The team should be made up of individuals that are team-oriented, detail-focused, and capable of sticking to the gameplan when stress levels rise.  These carefully-selected individuals must understand the importance of their roles and devote themselves to constant learning as cyber security issues evolve. Companies might also consider employing full-time services from outside providers.  In the end, it will be much more expensive to respond to a successful breach than to avoid one in the first place.