Cyber Liability – Does Your Business Keep Customer Information Data?
Do you store your customers or prospects personal identification information on a computer system controlled by your office? Is it accessible over the internet or from a tablet, phone or laptop? If you answer "yes" to these questions, cyber liability is a business topic you shouldn't overlook.
The best defense against theft of data, and the inherent theft of your customers' privacy, are the following:
a strong IT partner to advise you on vulnerabilities
clearly stated and enforced internal protocols for employees
up-to-date technology, both hardware (firewalls, encrypted drives) and software (resident software to seek out viruses, malware, and other threats)
Cyber criminals are everywhere (most overseas), but they are like any other crook: they seek the easiest targets first. With robots constantly scanning the web seeking out vulnerable computers, the primary message here is DON'T BE A SOFT TARGET.
Cyber Liability insurance today can be broken down into two broad categories: how do I respond when a hacker has gained access to my customers’ personal identification information, and what is my liability for theft of information that causes loss or damage to others? For insurance purposes the first category refers to “first party coverage" and the second refers to "third-party liability."
Here's another defensive tip: complete a cyber liability insurance application (contact us for one) and use this as an audit of your vulnerabilities. Since the application itself helps an underwriter measure risks your business faces, it's easy to gain insight by reading between the lines.
First Party Coverage
First party cyber liability insurance includes crisis management: “What do I do now that someone has hacked and possibly stolen some of our information?” Another expense will be forensic accounting: “How did this happen?” Notifying your affected customers is another critical step. Depending upon the number of customers and the nature of the breach, you may need to engage a call center to handle the inquiries bound to come in. Finally, you’ll probably need to provide credit monitoring for customers who were affected by the data breach or possible theft. Insurance policies have evolved to provide specific supplements for these categories: credit monitoring, notification, forensic accounting and other first party services.
A separate category of first party losses include business interruption. This can be especially important coverage for businesses that conducts most of their operations online. While under attack, a web-based business is no better off than a retail business with locked front doors: you’re simply "out of business." Generally business interruption insurance has specific triggers such as a network attack or an actual system breach.
Third Party Liability
The next category is third party liability claims. These are the claims that customers may make against you because that lost laptop or lost phone of yours resulted in their credit card having unauthorized charges made. Third party liability claims involving personal identifiable information are generally less severe than those involving personal health information. When personal health information is stolen for the purpose of obtaining prescription medications or other treatments, attorneys can sue for invasion of privacy, tarnished reputation, mental anguish, and other subjective (and expensive!) damages.
Third party damages currently account for only 10%–15% of cyber related losses because insured events mandate the carrier pay first party costs and have a crisis management partner in attendance. Experience for uninsured events is harder to quantify, but when first party intervention is delayed third party damages typically arise.
The newest, and for many businesses, the largest financial exposure is regulatory. Fines imposed by new laws in various jurisdictions, both state and federal, are harsh in an attempt to force businesses to secure their systems from attacks. Here in Massachusetts the law known as CMR-17 imposes severe penalties on businesses that lose private identifiable information. If you are reading this article and do not have a W.I.S.P. on file and actively updated, you should call us right away. Many insurance policies will not include coverage for government fines and penalties. Not only is insurance a good idea, but securing your network through carefully designed procedures and protocols is absolutely necessary in today's global business environment.
Cyber Liability Policies
Cyber liability insurance policies have become more homogeneous over the past few years as business exposures and effective responses have been identified through insurance claims experience. Thus, while there are differences in details, the basic structure of policies is beginning to become uniform.
Some companies offer this insurance as add-ons to existing business policies, but for many companies a stand-alone policy makes more sense. Pricing for this insurance has become much tighter, meaning wide disparities in price from carrier to carrier are no longer as common as just a few years ago. For example, add-on coverage for many small businesses can cost from as little as $500 to $2,000 per year for limits of $50,000 to $1,000,000. Business size and the quality and nature of information provided are important measures of cost.
To request our Cyber Liability Guide, click the link below. To discuss how cyber liability might be of benefit to your business, call one of the insurance professionals at Gordon Atlantic by calling toll free (800)-649-3252. Prefer to type instead of talk? Click below.