The “20” on Cyber Insurance in 21’
To say that cyber insurance is a hot topic and a current enduring trend is a major understatement. It might even be difficult to imagine that its significance as an urgent imperative is not common knowledge given its extent as a serious, growing threat and essential component of risk management. Indeed, as Ginny Rometty (IBM former chairman/current board member) has said “Cybercrime is the greatest threat to every company in the world”. Warren Buffett went further and said cyberattacks are the number one problem with mankind. Not that I necessarily agree with him on that, but I think it plays well to highlight the importance of the subject at hand!
What is Cyber Insurance?
Cyber Insurance has (or with a robust policy rather, should have) two parts with respect to the parties covered; first party coverage for your business and then third party coverage for your liability exposure. Cyber Insurance covers a business liability and associated expenses (defense, settlement, and various business expenses) concerning data breaches. Including but not limited to First party coverages such as: notification costs, credit monitoring, costs to defend claims by state regulators, fines and penalties, and loss resulting from identity theft. It may also cover liability arising from website media content, as well as other exposures from: (a) business interruption, (b) data loss/destruction, (c) computer fraud, (d) funds transfer loss, and (e) cyber extortion (as per IRMI).
Why is it important?
Because it’s a growing exposure. Breach incidents are increasing. Unlike catastrophic weather based claims, Cyber breaches are human induced and we simply don’t have the data set that we do with CAT or Catastrophic claims to get a clearer picture on predictability. It’s also important from a contractual compliance perspective, as it is now increasingly standard in vendor agreements, when they engage with potential clients. All 50 States have laws. It’s also an integral part of a solid Risk Management process.
What are the components of a Cyber Insurance policy?
Network Security Liability: (3rd party) an insured’s system fails to prevent security or privacy breach. Includes transmission of a virus.
Privacy liability: (3rd party) if an insured fails to protect electronic or non-electronic info in their Care Custody and Control.
Media Liability: (3rd party) intellectual property and personal injury perils. May result from website.
Regulatory Liability: (1st party) federal and state fines, penalties, investigations.
Crisis Management: (1st party) notification expense, credit monitoring, forensic investigations, public relations.
Data Recovery: (1st party) expenses to investigate a system intrusion and recover data.
Business interruption: (1st party) lost income, extra expense to restore operations.
Cyber Extortion: (1st party) payments made to a party threatening an insured’s system.
Technology Services/Products & Professional E&O: added when applicable for failure to perform as indicated.
The important distinction here is the notion between a thin layer of coverage often implemented through an endorsement added onto a Business Owners Policy or Commercial Package Policy, which is limited both in scope of coverage and also in monetary indemnification limit as opposed to a robust stand–alone policy with a premier platform. Claims handling and cyber security services are also a key component and value add. Here are some eye-opening statistics:
According to Business Venture’s 2019 Statistics Report, “What makes the ransomware problem worse is that nation-states are involved. Investigations proved that the WannaCry and NotPetya ransomware attack campaigns were orchestrated by nation-state actors. They may have started in 2017, but their effect continued into 2020. The objective was to destroy information or cause distractions rather than to derive financial benefits.”
To summarize, we’ve only scratched the surface on the volume of alarming statistics but the picture is crystal clear; Cyber insurance protection is a must! It is also only part of the overall proactive engagement necessary to implement a long-term successful strategy. Other critical components are partnering with expert IT security firms and active ongoing maintenance, employee training, and having the right tools and procedures in place. Holistically formulating a layered and dynamic approach to the ongoing and increasing cyber threat landscape is the best way forward.