It’s all but impossible to do business today without computers and the Internet. Even if a computer is used for nothing more than accounting and keeping track of orders, a data loss or equipment failure could mean economic hardship for any company.
Throw in the use of email, a website or social media and a company’s risk exposure could be greater than that posed by the more physical threats of fire or other disasters—especially where privacy laws and the potential for lawsuits are involved.
As unprepared as some companies could be for this, the real shock may come when they find out their commercial business liability insurance doesn’t cover them in cyberspace.
“It would cover the loss of a computer if someone stole a computer or a laptop but it doesn’t cover the information on it. With a data breach everything that’s digital is not covered,” says Christine Marciano, president of Cyber Data Risk Managers, LLC.
She says Sony learned this the hard way in 2011 when someone hacked into 77 million PlayStation accounts and stole customer information—as the company discovered its commercial liability insurance didn’t cover a data theft. Sony, which faces a class-action lawsuit, put its losses at $171 million. Some estimates say the losses could cost up to $2 billion.
Other companies have faced losses as well. A study by the Ponemon Institute, released in March, examined 49 U.S companies in 14 different industries. It put the average cost of a data loss at $5.5 million per organization, plus $3.01 million in lost business costs. The cost of lost data was $194 per record.
The heavy price tag comes from tracking down the reasons for the data loss, figuring out what records were taken, notifying customers, dealing with the public, the loss in business from customers leaving the business and, in some cases, a company being unable to function when its computers were down.
Companies could not only face a liability risk from their own employees, if personal data is hacked into or stolen, they can also be held liable for losing a customer’s information or infecting a client’s system through an undetected virus.
Although bigger companies get the headlines when there’s a data breach, smaller businesses are at an even greater risk. They don’t have the deep pockets of the larger companies, so their computer systems could be less protected and an easy target for hackers.
A 2010 survey by Symantec Corp. found that 73 percent of small and midsize companies had experienced a cyber attack and the number of attacks increased by 93 percent from 2009 to 2010.
“This cuts across all sizes of companies and honestly it’s more dangerous for the small to middle market companies because quite frankly they might not have as many funds to spend on IT protection, whether it’s in-house or externally,” says Ken Goldstein, vice president at Chubb Insurance. The company estimates that half of all companies that suffer data breaches have fewer than 1,000 employees. “Inevitably they will have some type of a cyber liability event happen to them regardless of how they prepare,” Goldstein says. “You do not want to be in a situation as a small middle-market company dealing with a breach without the ability to transfer the risk. It could effectively wipe you out of business.”
The wild wild west
Cyber insurance began in the early 2000s but didn’t get much attention until more recently, with high profile cases like the Sony breach. Unlike insuring a house or a business, which are easy to quantify, companies can find their cyber insurance needs a bit harder to define and that policies differ greatly among carriers.
“They need to work with somebody that specializes in it just to be able to know what’s covered and what’s not,” Marciano says. “They do vary greatly and it’s sort of deemed as the wild wild west right now just because it’s all over the board and the premiums are across the board too.”
Marciano says a typical policy for a data breach would cover the costs of notifying customers, credit monitoring services, hiring a computer forensic investigator, privacy attorney, crisis management, regulatory fines, loss of business income plus privacy and security liability.
In setting rates for cyber insurance, insurance companies examine things like the type of records a company keeps, how well it protects them and whether they have a plan for dealing with a loss or an attack.
“They’re looking at the hygiene of the organization to really see what they are doing to control their risks as far as firewalls, antivirus systems, prevention or detection systems,” Marciano says. “Of course the more they have in place, the more they’re protecting the network from attacks and protecting that sensitive information that they’re holding onto the more chance that they’ll have of getting approved and getting a favorable premium.”
Goldstein says insurance companies look at the type and amount of information a company has, along with network penetration testing and detection methods, plus company policies regarding mobile devices, what encryption methods they use and password control.
Some businesses, particularly smaller ones, might opt for using an outside vendor for securing their data and network. Goldstein says although this can be a valuable service it does not protect a business from any data loss by the vendor—as the business itself is still primarily responsible in terms of legal liability.
He suggests making sure a contract has an indemnification provision in the event that the vendor is infiltrated and a company’s employee or customer data is put at risk.
“You need to do due diligence on the company that you’re ultimately dealing with and honestly if they’re a company that’s dealing with a variety of other companies they may be pooling your information to some respect with a variety of other companies information,” Goldstein says. “If a breach occurs, are they really going to have a sense of whose information is ultimately at issue?”
There are 46 states that require companies to notify those whose records are stolen. A credit monitoring service is not required by law but many companies offer this protection after a data loss as a way to maintain relationships and reduce the risk of a lawsuit. The cost of this can also be insured.
What else to cover
News organizations and publishing companies already have content liability coverage as a matter of routine and are likely already covered for their online activities. When non-media companies operate a website, host a blog or use social networking Goldstein says they expose themselves to content liability issues such as defamation, invasion of privacy, copyright and trademark infringement.
Goldstein says a non-media company with a heavy online presence should make sure it’s covered with a robust content liability coverage plan. Marciano says this liability could be covered through cyber insurance or as part of standard business liability since many companies already include advertising liability with their regular insurance coverage.
Other areas of coverage include denial of service, for income loss for when a network goes down, and cyber extortion. Goldstein says there are cases where hackers will steal private information regarding a company’s employees or customers, and demand money for its return. Insurance for this risk could include the cost of the ransom and hiring a negotiator to work on the company’s behalf.
Whether it’s a cyber attack, a system failure or a stolen laptop the odds are that a company will eventually face some type of a data loss. Just as companies have contingency and business continuation plans in case of a physical disaster, they’ll need more of the same to deal with any cyber-related problems that arise.
“These days it’s not a matter of if a data breach will happen it’s just a question of when so today it’s better to plan ahead so that when it does happen they’re ready to just move forward and act,” Marciano says. “A company has a pretty good chance of having a cyber attack versus losing their entire organization to a fire.”
Some cyber insurance providers offer assistance in incident response planning, with negotiated contracts from preapproved vendors. Marciano says insurance companies can also recommend vendors to their clients.
Goldstein says a cyber disaster plan could be as simple as choosing which forensic firm a company will use when a problem arises. Other considerations could include how to notify those whose data was lost and legal representation in case of lawsuits or the need to defend the company against regulatory actions.
Preparing for a disaster by reaching out and establishing relationships with vendors can be an important part of an incident response plan. Goldstein says this enables companies to get ideas on cost, the type of assistance a vendor could provide for when a data breach occurs. Chubb also has an incident response template it provides to its customers to help them prepare for what could be inevitable.
“The key takeaway that really any company should have is if you collect, if you store, if you transmit any type of private information that we’ve been talking about you’re exposed to the same type of issues that these companies in the higher hazard areas have ultimately been exposed to historically,” Goldstein says. “You have to ask yourself, what company doesn’t have employee data? What company doesn’t interact with customers where they’re not taking some level of customer information?”