Cyber attacks and the resulting losses are high on the radar of today’s businesses. This guide helps you understand the various types of cyber liability and how to ensure your company is adequately protected.
When Sequoia engages with clients to help protect their business, we begin by asking what type of business loss they are most concerned about. The resounding response is, “I’m worried about what happens if our data gets hacked and distributed.” The concern over cyber attacks is understandable considering some of the recent news headlines:
- IBM’s CEO on hackers: ‘Cyber crime is the greatest threat to every company in the world’ FORBES
- Lloyd’s CEO: Cyber attacks cost companies $400 billion every year FORTUNE
- Cyber crime costs projected to reach $2 trillion by 2019 FORBES
- Another big malware attack ripples across the world CNN MONEY
To ensure your company is adequately protected, begin with two simple questions:
Do you know what cyber insurance protection you have?
Do you know what you need?
TYPES OF LIABILITY & COVERAGE
Historically, the insurance industry has been slow to respond to emerging risk issues, but things have caught up on cyber liability in a huge way. There are now over 50 insurance carriers with broad-form cyber policies offering various coverages tailored to specific business operations.
“Cyber” is a catch-all term in the world of insurance for four types of coverage protections:
- Network Security Liability = Protecting Your Systems
Network security liability is the failure to protect against unauthorized access to data, unauthorized use of data, denial of service attack by a third party, or transmission of unauthorized, corrupting, or harmful code. - Privacy Liability = Protecting the Information of Others
Privacy liability is the failure to properly handle, manage, store, destroy, or otherwise control certain types of information, including personally identifiable information (PII), protected health information (PHI), or corporate information. The information can be contained in physical documents and is not exclusive to data stored online. - Media Liability = Protecting Your Online Presence
Media liability includes allegations of defamation, libel, slander, emotional distress, and copyright infringement in the display of media material on a website or on social media. - Regulatory Actions = Coverage for Civil Investigations
Regulatory actions are proceedings for breach or violation of Federal/State/Local statutes regarding control and use of private information (i.e. SEC, HIPPA, PCI). Coverage for this type of liability can cover the cost of defense, penalties, and associated fines.
WHAT’S ACTUALLY COVERED
Cyber policies offer various coverages depending on the type of liability:
First Party Costs (Network Security & Privacy Liability): First party costs are direct costs for responding to a privacy breach or security failure. For example, costs associated with forensic investigation of the breach, public relations expenses, notification costs of communicating the breach, or business interruption costs (loss of profits and extra expense during the time your network was down).
Third Party Costs (Network Security, Privacy, & Media Liability): If your company gets sued, people make claims against you, or regulators demand response, your cyber policy can provide coverage for things like legal defense, settlements, damages, judgements, costs of responding to regulatory fines and penalties, as well as costs of regulatory fines and penalties. It is important to read your policy for specific terms and conditions of coverage.
At a glance, a cyber policy can cover:
- Privacy breach event expenses (notification costs, forensics, credit monitoring, etc)
- Privacy breach regulatory actions, fines, and penalties
- PCI fines
- Cyber business interruption expenses
- Data repair and restoration expenses
- Cyber extortion costs
- Intellectual property infringement costs (not patent and trade secret)
- Personal and advertising injury costs
DETERMINING YOUR CYBER EXPOSURE
How do insurance underwriters go about rating your business risk and cyber exposure? They will likely take the following things into consideration:
- Industry – High-hazard industry classes have increased exposure due to the number of records kept and a critical reliance on network systems. These industries include Healthcare, Financial Services, Government, Hospitality, Education, and Retail.
- Financial Size – The higher the annual revenue (gross and net considered), the higher the exposure to cyber loss.
- Privacy Risk – What kind of data is being stored? How sensitive is that data? How much data is being stored? How many records or individuals?
- Systems Security Practices – How is data being shared with vendors and service providers? How is this data being protected? Are adequate encryption practices and firewalls in place? Have there been breaches in the past?
- Personnel Security Practices – Inside the company, is there employee training and/or internal policies and plans for disaster recovery and business continuity?
BREAKDOWN OF ACTUAL LOSSES
The good news is that cyber coverage works and companies are restored by the proceeds received from insurance recoveries. Of the $62.3 million in total payouts by cyber insurance carriers in 2016, here is the breakdown of covered expenses associated with the claims:
48% spent on Crisis Services (forensics, notification, etc)
15% spent on Legal Defense
11% spent on PCI Fines (payment card industry)
10% spent on Legal Settlements
10% spent on Regulatory Defense & Investigations
6% spent on Regulatory Fines
NEXT STEPS: GET PROTECTED
Partnering with a qualified insurance broker you can trust is important. A thorough review of your exposures, systems in place, contracts with partners, and data collected are critical when analyzing your cyber exposure. With the increased risk of cyber threats in today’s global economy, your first defense is being sure you have the right protection in place.
When you choose Sequoia to help protect you from cyber liability, you are buying two things:
- Risk Transfer for incidents of high severity
- Expert Service from a retained bench of professionals for legal forensics, public relations, customer notifications and credit monitoring, and breach response
Our team will review your most critical contracts, perform a detailed risk assessment of your business operations and then will review your existing insurance policies to determine what coverage you have and what you might need. It’s our job to ensure your business is protected from the threats of today and all of the ones yet to come.