Protecting Businesses and Consumers with Cyber Liability CoverageAugust 01, 2018
Cyber liability coverage is a relatively new product but this form of insurance is increasing in popularity as news reports of data breaches at employers and retailers, large and small, appear with increasing frequency.
While many business owners are aware of cyber liability insurance, relatively few understand their specific needs and exposures to cyber-related losses. Third party vendors are now responsible for the majority of storing, transmitting, and transferring personal information and direct financial transactions between businesses and their customers have diminished. Regardless of who is contractually responsible, in the case of a breach or compromise, many businesses will experience a heightened sense of accountability and goodwill owed to their customers. With the potential for private information like social security numbers, credit card numbers and personal health information getting in the wrong hands, businesses and their consumers should always be protected.
The fundamental categories of losses generated from a cyber breach can be generalized into three categories:
- First Party Losses – those costs having a direct impact on and born directly by the company experiencing the breach. These include costs to respond to the data breach such as notifying customers affected, which is required by state law, in addition to public relations costs, reputational damage, computer forensic, and legal costs.
- Third Party Liability Costs – exposure to defense and settlement costs and lawsuits that involve network security, privacy, and media exposure
- Regulatory Costs – investigation costs and privacy/Payment Card Industry (PCI) fines and penalties
Exposures for loss can arise from multiple sources, including authorized users of a system, such as employees, unauthorized users of a system, i.e. hackers, cyber extortion, former employees, etc., or lost or stolen non-encrypted devices such as smart phones, tablets and laptops.
If you think cyber-attacks only occur at large corporations, think again. A recent Symantec Survey indicated that 40% of all targeted cyber-attacks are aimed at companies with under 500 employees.
One of the challenges with cyber liability insurance coverage is knowing how much coverage is enough. Many insurers offer cyber liability coverages via endorsements and sub-limits on existing liability, property or malpractice policies. While endorsements and sub-limits are certainly better than no coverage, buyers can be providing themselves with a false sense of security. With the average cost per breached record reaching as high as $202, a standard $100,000 sub-limit could be grossly inadequate. It would take a breach of a mere 500 customer names to burn through this limit. In addition, many sub-limits are offered on a blanket limit basis and don’t separately include first party coverage, third party coverage and PCI/regulatory coverage, therefore the risk of inadequate limits grows exponentially.
Rather than relying on endorsements and sub-limits to transfer this risk, consider purchasing a free-standing cyber liability insurance policy. As more insurers enter this market, competition is pushing rates down and the better cyber liability insurers have excellent teams to assist with your response to a breach incident, including lawyers that specialize in breach incidents. You may be able to protect your organization from an overwhelming balance-sheet exposure for a relatively minimal annual cost. Remember, Risk Management 101 states a business should not risk a lot of exposure for a reasonable premium.
In summary, cyber breaches are the future source of theft losses. If you collect, store, process, or transfer personally identifiable information for your customers, you need to evaluate your exposure to and tolerance for cyber liability risks. The decision to self-insure this exposure must be an informed decision, not an unintentional oversight.
Ryan Sewell, CPCU, is a client advisor in Seacrest Partner’s property-casualty insurance practice. Ryan has 10 years of commercial insurance and risk management experience. He can be reached at 912.988.5146 or firstname.lastname@example.org.