In 2013 and 2014, high-profile data breaches at several
major retailers and banks put millions of customer credit card numbers in
criminal hands. These events put large numbers of people at risk of identity
theft, and incurred millions of dollars in IT consulting, legal, and public
relations costs to the companies.
But data breaches don't just happen to global corporations.
Any organization that stores its data digitally is a target. According to the
Chubb Institute's 2012 report, US Public Companies' Perceptions of Risk, and
Their Risk Mitigation Strategies, approximately 2 in 5 companies surveyed
experienced a major data breach, with an average cost of $5.5 million. And
according to Verizon's 2012 Data Breach Investigations Report, a large majority
of data breaches were found to take place in companies with 100 employees or
fewer.
The costs of a data breach can be damaging to larger
corporations-and ruinous to smaller ones. Cyber liability insurance is the only
product that covers the financial fallout of these events. For insurance
agents, this type of coverage represents a significant opportunity.
What Is Cyber Liability Insurance?
Cyber liability policies are specialty lines designed to
provide the coverage most corporate policies don't offer when it comes to data
breaches. These policies are usually tailored to the specific risks faced by
individual insureds. Possible costs to be covered include:
• Emergency data breach response and crisis management.
• Legal expenses-including privacy legal consulting and defense.
• Regulatory fines and defense expenses.
• Network security and IT-related costs.
• Claims from 3rd-party vendors and suppliers.
• Class action claims by affected consumers.
• Customer notification, credit monitoring, and remediation costs.
• Website vandalization and defacement.
• Loss of business due to breach of public trust.
• Public relations expenses.
• Cyber extortion and ransom demands.
• Intellectual property infringement.
• Network downtime costs, including loss of business income due to downtime.
• Legal expenses-including privacy legal consulting and defense.
• Regulatory fines and defense expenses.
• Network security and IT-related costs.
• Claims from 3rd-party vendors and suppliers.
• Class action claims by affected consumers.
• Customer notification, credit monitoring, and remediation costs.
• Website vandalization and defacement.
• Loss of business due to breach of public trust.
• Public relations expenses.
• Cyber extortion and ransom demands.
• Intellectual property infringement.
• Network downtime costs, including loss of business income due to downtime.
There is often overlap between cyber liability coverage and
other corporate policies, such as crime coverage. But the damage caused by data
breaches can be extremely broad, and no other type of corporate insurance
covers all or even most of the cost. That's why this type of coverage is so
essential to any organization with digital data and assets to protect.
Who Needs Cyber Liability Insurance?
When we think of data breaches, most of us think of
high-profile events with recognizable nationwide or global brands. And while
it's true that these companies are obvious targets, small and mid-sized
businesses are often even more vulnerable. Hackers are aware that smaller
companies often don't have the resources to fully protect their data or
investigate a breach.
And while these high-profile examples are in retail and
finance, neither is the most high-risk industry. According to the Identity
Theft Research Center's 2014 Data Breach Reports, the sectors that experienced
the highest number of data breaches in 2014 were as follows:
• Medical and healthcare: 42.5%
• Business: 33%
• Government and military: 11.7%
• Education: 7.3%
• Finance and banking: 5.5%
• Business: 33%
• Government and military: 11.7%
• Education: 7.3%
• Finance and banking: 5.5%
However, the application for cyber liability insurance is
broad-and there's a case to be made for this type of insurance in almost every
organization and industry, both in the United States and abroad.
The law is also catching up. Currently 47 US states, the
District of Columbia, Guam, Puerto Rico, and the Virgin Islands have mandatory
breach notification laws requiring companies to inform customers when their
data has been compromised. In Europe, the pending EU Data Protection Regulation
will impose a similar requirement. The SEC also has a guidance framework in
place for public companies, strongly urging that they divulge data breaches and
hacking incidents on their networks.
This means that no company based in these areas can legally
or ethically keep a data breach out of the public eye, which only compounds the
cost to the company's bottom line and reputation. The expenses
incurred-including legal, notification, public relations, IT forensics, and
loss-of-business costs due to erosion of public trust-can quickly build up.
As the cost of a breach continues to grow, it's likely that
cyber liability insurance will become the norm across a variety of
industries-especially the most high-risk.
Overcoming Barriers to Purchase
Despite the growing dangers and regulatory trends, most
public companies still haven't purchased cyber liability insurance. Here are a
few reasons why:
Lack of familiarity among insureds. This is still a new
insurance product. One reason it's not a common purchase may be that
decision-makers don't know it's an option. However, awareness of cyber risk is
growing. According to the Chubb Institute report, 63% of decision-makers
surveyed expressed concern over data breaches, and 52% are taking steps to
enhance digital security. This is good news for insurance agents. It indicates a
huge opportunity to speak to that concern by educating decision-makers about
cyber insurance.
Cost of coverage. There's opportunity here for insurance
agents to guide their customers in reducing premium costs. Companies can reduce
the cost of premiums by taking pre-emptive steps to mitigate risk, such as
assessing their own specific risks and implementing a targeted IT security
policy.
Lack of familiarity among insurance agents. Despite the
clear need for it, cyber liability insurance is a new budget item for many
companies-and persuading them to spend the money can be a daunting task for
insurance agents unfamiliar with the product.
This field encompasses a specialized spectrum of technical
and insurance expertise. Especially for agents who are new to the field, it's
crucial to find a wholesale broker who can present to the insured, provide
options they can understand, consult with them to mitigate risk, and serve as a
partner to new insurance agents in building credibility.
Choosing a Wholesale Insurance Broker for Cyber Liability
Insurance
A wholesale insurance broker is essential in placing cyber
liability risk, and can be an extremely valuable partner in presenting to
insureds. But not every broker has the expertise to answer tough technical and
financial questions from insureds. Here are some key deliverables to look for.
A proposal that identifies your insured's pain points. A
good proposal will be able to pinpoint your insured's vulnerabilities right
away, and identify appropriate coverage and limits based on evidence such as
real-time data and examples of prior claims for similar businesses. It should
take into account the following:
• Business plan
• E-commerce system
• Data collection practices
• Regulatory exposure
• Data security procedures
• Privacy policies
• PCI exposures
• Aggregate loss exposure
• E-commerce system
• Data collection practices
• Regulatory exposure
• Data security procedures
• Privacy policies
• PCI exposures
• Aggregate loss exposure
A current library of claims. The wholesale broker should
maintain a current library of claims examples for every industry-including that
of your insured. This gives their team the ability to analyze risk exposure
prior to an incident, provide expertise in marketing that risk to carriers, and
get access to policies tailored to it.
Strong relationships with underwriters. The right broker
should also maintain robust working relationships with underwriters who
specialize in cyber liability, and have an in-depth understanding of which
markets are best suited for insureds of specific classes. A broker who does a
large volume of cyber submissions often gets priority with these underwriters.
Signs point to the likelihood that this product will become
an important facet of corporate coverage for organizations in almost every
industry. Now is the time for insurance agents to get in ahead of the trend-so
they can be ready when customers need it. In addition, cyber insurance premiums
are cheaper now than they are ever going to be. Insurance agents who can get
into this market now will be far ahead of their competition as prices rise.
Works Cited
The Chubb Institute: US Public Companies' Perception of
Risk, and Their Risk Mitigation Strategies. (Accessed March 24, 2015).
Verizon: 2012 Data Breach Investigations Report. (Accessed
March 24, 2015).
Identity Theft Resource Center: Data Breach Reports.
(Accessed March 24, 2015).
National Conference of State Legislatures: Security Breach
Notification Laws. (Accessed April 7, 2015).
European Commission's Directorate General for Justice and
Consumers: Protection of Personal Data. (Accessed April 7, 2015).
US Securities and Exchange Commission: CF Disclosure
Guidance: Topic No. 2. (Accessed April 7, 2015).
0 Comments