What is Cyber Liability?
In 1992, when I started our company and bought my first computer (a Gateway 33 mhz.), you couldn’t buy a “Cyber Liability” policy. Few people knew what a “website” was, and “security breaches” created images of Mission Impossible.
Flash forward to 2010 and issues arising out of data security, management of confidential information, and infringement of intellectual property rights are all considered major exposures. In today’s interconnected cyberworld, the potential for catastrophic loss has escalated dramatically. Although the early “hackers” seemed to be challenging themselves intellectually to see what type of mischief they could cause, today’s cyberthieves have serious criminal intent in mind. Terrorists, organized crime, and random computer geeks working alone are making cyber crime a growth industry. According to Privacy Rights Clearinghouse, more than 263 million data records of U.S. residents have suffered breaches since 2005.
Risk Analysis
Step one in the Cavignac & Associates Risk Management Process is “risk analysis: Identifying assets or circumstances which could lead to a loss.” This process, also known as “exposure analysis,” defines the assets or circumstances as “loss exposures.” Potential exposures include the loss of your company’s data and the cost of restoring it, defending against or settling a third party claim, cyber extortion, damage to reputation, notifying individuals whose personal information might have been compromised, and paying for credit monitoring of individuals (if required by law). Nearly every state now requires businesses that have compromised an individuals’ information to notify this individual. One study of larger companies estimated the cost of a data breach at $204 per compromised record. The same study calculated the average cost of a single data breach at $6.75 million!
Risk Control
Once you’ve defined your exposures, you need to determine how you can manage them. In other words, what can you do to lower the likelihood of a cyber liability claim or the severity of a claim if one occurs? A number of companies focus on helping businesses manage and protect both their own data and the data of their customers. The key is to centralize IT management and develop enforceable policies and procedures across your network. Check the implementation of these policies and procedures periodically. After a suspected or actual breach, take action as soon as possible. If necessary, call the appropriate IT security specialist companies.
Is This Risk Insurable?
As cyber liability exposures have evolved, so has insurance coverage. Although the Insurance Services Office (ISO) created a “standard” policy in November of 2009, most policies today are unique to the company offering the coverage. This means that you’ll need to evaluate the policy to make certain it addresses your potential exposures. These policies include both first party and third-party coverages. First-party coverage pays you for the costs of repairing or replacing damage caused by a covered peril; third party coverage includes the cost of defending and settling third-party claims, including regulatory actions.
Cyber Liability policies usually include some or all of these coverages:
- Website Publishing Liability – Nearly everyone has a website these days. This coverage protects you from liability-based information posted on your website, which might include actual or alleged misstatements; infringement of another’s copyright; trademark, etc., or violation of a person’s right to privacy.
- Security Breach Liability – Covers your liability from a security breach or transmission of a computer virus to a third party. A security breach occurs if an unauthorized person accesses the personal information of another, or if someone authorized to access such information uses it inappropriately.
- Programming Errors and Omissions Liability – Protects against your legal liability from actual or alleged programming errors that lead to disclosing a client’s personal information
- Replacement or Restoration of Electronic Data – This first-party coverage repays you for replacing or restoring data or programs damaged or destroyed as a direct result of a computer virus or similar bug.
- Extortion Threats – Reimburses you for extortion expenses and ransom payments resulting directly from an extortion threat. These threats usually involved on introducing a virus, malicious code, or publishing clients’ personal information.
- Business Income and Extra Expense – Covers loss of business income and extraordinary operating expenses due to a cyber incident or extortion threat.
- Public Relations Expense – Cyber liability incidents can create bad press. This covers the costs of a public relations firm to help you protect or restore your reputation after such an incident.
- Security Breach Expense – Covers the often significant expenses of notifying others that their personal information has been compromised These costs include overtime salaries for employees dealing with the issue, fees and costs of a company hired to operate a call center, post-event credit monitoring services, and other reasonable expenses.
The Cost
Cost can vary dramatically, depending on the type of business, type and volume of information on file, and other factors. Because Cyber Liability insurance is a relatively new coverage, there’s not a large enough database to calculate rates. Most companies are basing their prices based on what they believe the exposure to be and what they think they can charge. Annual premiums for smaller firms (with fewer than 50 employees) will probably range from $1,000 to $10,000. Larger firms might expect to pay $15,000 to $25,000.
Best Practices
Every firm, regardless of size, should evaluate its exposure to this type of loss and determine what steps they can take to manage this type of potential claim. Finally, you should obtain a quotation for coverage. Even if you don’t buy the coverage, you should know the cost and make the conscious decision not to buy it as opposed to assuming you don’t want to afford it.
Managing a Security Breach
If you become aware of an actual or potential security breach, investigate it immediately! If personal information has been compromised, at a minimum, you should take these steps:
- Depending on the circumstances, contact local law enforcement, and if appropriate the FBI and possibly the U.S. Postal Inspection Service (if the fraud involves mail theft).
- Notify any businesses that the breach might affect.
- Notify any individuals whose personal information might have been compromised. Designate a contact person to coordinate the notification process.
- If the incident involves Social Security numbers, credit card information, or other sensitive personal information, contact the major credit bureaus.
- Remove any inappropriately posted information on your website immediately.
- Consult with counsel to make certain you’re complying with any applicable laws, specifically those pertaining to notification and credit monitoring.
- Notify your insurance advisor to determine if insurance might apply to the incident.
- If necessary, consider contacting your public relations consultant to help manage the process and protect your firm’s reputation.
Article Courtesy of Jeffrey Cavignac of Cavignac and Associates (www.cavignac.com). Jeff is a long-time HR That Works and Sitkins International member located in beautiful downtown San Diego.