Cyber Insurance 101: What You Need to Know to Help Protect Your Business The Center for Strategic and International Studies estimates the global cost of cybercrime to be $575 billion in its latest report sponsored by McAfee entitled “Net Losses: Estimating the Global Cost of Cybercrime”. With threats challenging the technology that most businesses increasingly rely upon, it is in the best interest of business to be prepared. Your business may be a stickler about data security employing firewalls, intrusion detection systems, or encryption, but is your organization addressing the increasing sophistication of cyber threats and cyber liability? Does your organization have a data breach response plan? If your business leverages technology, it is vulnerable to cyber liability exposure.

Cyber insurance—or cyber liability insurance coverage (CLIC)—is a product used to protect businesses from Internet-based risk and mitigate cyber liability exposure. Cyber insurance also addresses the vulnerabilities posed by IT infrastructure and the activities that threaten beyond reputation and privacy, including business interruption, data breach response and the costs of customer notification when applicable. CLIC is a quickly emerging safeguard garnering growing interest and exponential sales growth.

Many businesses first learn about cyber insurance from concerned customers, and more companies are choosing to enact cyber insurance policies. Before selecting and implementing cyber coverage, however, it is important to know the basics to appropriately ascertain business needs, organizational cyber risk exposure and tolerance, and the implications and potential impacts that could resonate from a fraudulent occurrence.

No business is immune to cyber vulnerabilityCyber insurance is regarded with growing importance as companies large and small are not immune to the risks posed by cybercrime. Does your organization collect payment information for online sales? Does your business retain a physical database of customer information? Do you store information on the cloud?

Aside from privacy regulation and the challenge of protecting data from outside threats, what about the threat posed by cybercriminals targeting your employees? Do your employees have remote access or access business data using mobile devices? Has your company considered the operational cyber risk related to manufacturing, distribution, inventory, supply chain, or point-of-sale systems? All of these scenarios present cyber risk exposure.

cyber threat facts: • According to the insurer

Allianz, cybercrime exacts damages globally to the tune of nearly one half trillion dollars a year.*

• Cyber risks continue to evolve beyond privacy, reputational and regulatory issues as businesses, customers and devices increase interconnectivity and grow more technology reliant, creating new risk exposures.

• The global cyber insurance market is forecast to grow to over $20 billion by 2025.*

* https://www.allianz.com/en/press/news/studies/150909_businesses-must-prepare-for-cyber-risks.html/

continued

Treasury Management AdvisorIssue 108

In consideration of data breachOne common cyber threat is that posed by data breach. Data breaches have been proven to exact a reputational toll that is sometimes difficult to quantify, not to mention the ensuing financial losses incurred. The public is well aware of large scale data breaches like that experienced by 110 million Target customers, and most recently VTech®, the children’s learning and digital toy company, with 5 million customers affected by a data breach. There is no question that such large scale, publicized data breaches are driving cyber insurance into the risk management conversation.

So what about small business? A data breach occurrence can be even more devastating for them, and many businesses are unable to recover.

At the very least, all businesses should have a data breach response plan, review the plan quarterly, and educate employees about the risks, vulnerabilities and response should a cyber event occur. And with cyber threats on the rise, cyber insurance coverage is worth consideration. Businesses insure against natural disasters, fire, and theft. Such insurance is considered the cost of doing business, so why not protect against cyber threats that have the potential to be just as damaging, or even more so? The concept of risk minimization is the same with the intent to offset potential loss and business impact that could ensue from an unforeseen event.

Cyber insurance—a brief historyCyber liability insurance coverage is not a new concept for technology companies, but despite being available for 10 years, it is likely a new concept for most organizations outside of the technology industry. CLIC actually has its origin in errors and omissions (E&O) insurance, which has existed for over 20 years. E&O insurance covers events like unauthorized system access, network takedown, data destruction, and viruses that can affect an organization’s customers. Through its evolution, CLIC incorporated coverage for network security and Internet liability, then extended to data breach, and has now come to include a wide spectrum of covered events. Obviously, coverage differs depending upon industry type, the broker and the insurer. The good news is that most polices are easily configurable to organizational needs and risk vulnerabilities, and standalone cyber insurance products are also available.

what about a small business? The U.S. Department of Homeland Security reported in August 2015 that 31 percent of cyber attacks are perpetuated against businesses with less than 250 employees. A 2014 study conducted by the Ponemon Institute revealed that 43 percent of companies had experienced a data breach within the past year, an increase of 10 percent over the previous year.* Despite the statistics many businesses do not have a data breach response plan.

*http://www.usatoday.com/story/tech2014/09/24/data-breach-companies-60/16106197/

continued

Treasury Management AdvisorIssue 108

Government regulations have also driven the growth of CLIC products through laws addressing mandatory data breach notification. As such, highly regulated companies, like those in the financial services, healthcare and retail industries, were early adopters of cyber liability insurance behind the technology sector.

Today nearly all 50 states require data breach notification, and notification itself can be a large expense when faced with a breach. Add to notification the cost of business interruption, lost business, potential legal defense and settlements, and it is easy to see how a single cyber event can impose hefty damage to your customers as well as your bottom line. With the threat of a cyber event a reality of business today and more legislation to come on the heels of consumers’ growing data trails, it is helpful to know just what type of events CLIC can address.

What CLIC addressesCyber liability insurance coverage has evolved beyond errors and omissions to incorporate more complex network security and privacy coverage and media liability. Categorically, CLIC addresses the following:

• Errors & omissions: Covers an indirect breach of customer data, general failure to perform, negligence and errors

• Network security: Covers the theft or destruction of data, unauthorized access, viruses and malicious code, and business interruption, among others

• Privacy: Covers data breaches involving the most common events, such as exposure through employees, lost devices, unintentional data exposures, physical data breach, and hacking

• Media liability: Includes coverage for the infringement of intellectual property (not extending to patent), advertising and personal injury

Should your organization fall victim to a cyber event, CLIC most often reimburses for expenses including but not limited to: lost business; business interruption; reputational compromise; crisis management; forensic investigation; required data breach notification costs; the extension of credit bureau monitoring to customers; public relations; loss of profit; inadvertent release of confidential information or privacy breach; the cost of recovering lost data; legal expense; legal settlements and regulatory expense or fine assessment.

Talking cyber insurance with your brokerWhen considering cyber insurance it is important to know that not all policies are created equal, terminology among insurers can greatly differ, and policy exclusions need to be considered so there are no surprises if your organization falls victim to a cyber event. Be sure to consult with your technology representative and legal counsel to fully determine risk exposure when considering CLIC, but also include all facets of management as cyber vulnerabilities extend beyond technology and security. Once your organization is ready to consult with potential insurers, quiz them and your broker about the following:

• Policy availability: What types of CLIC policies are available and how can a policy be best tailored to address your organization’s risk tolerance and cyber risk exposure? These factors will dictate the amount of CLIC your business will require.

• Covered events and policy evolution: What types of events are covered? As cybercrime continues to evolve, cyber insurers are trying to keep up. For this reason, some of the latest cyber threats may not be covered by certain insurers or policies.

> How innovative is the insurer or policy in terms of addressing threat and risk evolution?

> Once the policy is in place, how often will it be reviewed or revised?

continued

Treasury Management AdvisorIssue 108

> Is the loss of future revenue or loss of value covered by the policy?

> Is the cost to improve systems to prevent future cyber events addressed?

> What first-party and third-party risks and losses are covered? How are they delineated in terms of risk burden and coverage?

> Will the policy cover “social engineering,” where a hacker tricks another person into skirting security procedures? For example, someone posing as the CEO emails a phony wire transfer request from the finance department.

• Coverage exclusions: What exclusions apply? Do not inquire only about event exclusions, but also ask about the time frames and criteria that apply to trigger coverage. Common exclusions can include spam, terrorism, foreign actors, illegal activity, data loss (not just data theft), unlawful collection of information, and fraud arising from third-party or vendor access to business systems.

> What are the coverage limits?

> Does coverage apply retrospectively when a cyber event goes undetected for a period of time?

> What best practices or reasonable protections does the policy require to ensure coverage?

• Sublimits and deductibles: What sublimits and deductibles apply? Are they adequate? How do they apply to first and third-parties?

• Policy integration: How will the cyber coverage integrate with other policies your business holds?

> Do current policies extend to cyber events or could coverage overlap?

> How does coverage work with your current vendor indemnities?

> Is a stand-alone or customized policy best for your type business or industry?

Most organizations safeguard against the odds of a data breach and work to reduce cyber vulnerabilities, but having cyber liability coverage can protect business assets by mitigating potential damages, as well as regulatory and reputational exposure should a cyber event occur.

With the growing dependency on technology and the Web, the vulnerability gaps will continue to evolve along with the complexity of cyber threats. Businesses without CLIC often prove to be the weak link in exposing other organizations with whom they do business to cyber threats.

For these reasons, cyber liability insurance coverage regardless of business size or industry makes increasing sense to provide essential protections. That said, CLIC is only one component, and it remains the case that the first lines of cyber defense are an organization’s comprehensive risk management policy and educated employees.

Treasury Management AdvisorIssue 108