What do American Express, Home Depot, VFW, Kmart and the North Dakota University System have in common? They are all part of the 342 data breaches exposing 9,015,970 personal records that have occurred this year through June 10, 2014, according to the non-profit Identity Theft Resource Center (ITRC). This represented a 17.1-percent increase over
the same time period in 2013.
Just in the last few months, we’ve seen massive breaches at major brands like Targetand eBay. But we also constantly have small ones in all sorts of industries includinghealthcare, retail and even manufacturing—really any company that is consumer facing or heavily reliant on technology is vulnerable.
A robust cyber insurance policy can help businesses weather the storm more effectively when a data breach or network security failure has occurred. Unfortunately, many do not understand the scope of what a cyber insurance policy can provide in the event of a network security failure, and how that scope has expanded over the past few years.
In this cyber insurance 101 post, we’ll dive into where cyber coverage came from, and what the components are, paying special attention to the network security and privacy components that cover the common cyber threats organizations face today.
The Evolution of Cyber Coverage
The roots of cyber coverage go back about 20 years. Back then, technology companies bought errors and omissions (E&O) insurance, which over time, was extended to include things like a software product bringing down another company’s network, unauthorized access to a client system, destruction of data, or a virus impacting a customer. (For a while there, spreading a computer virus was the big concern – remember the Love BugVirus that swept the globe in 2000?)
The companies that bought this early cyber insurance were generally in the technology space and already buying E&O insurance. The technology coverage, often called “network security” or “Internet liability” was an add-on.
Five to 10 years ago, we saw these “network security” policies expand into the privacy space by providing clear coverage for breaches of confidential information. That got the attention of retailers and other companies holding considerable consumer data, but who weren’t providing the type of technology services that would warrant buying E&O insurance.
Those companies wanted standalone cyber products that covered network security and privacy liability. That evolution has been important to where we are now because those exposures are so dominant today.
Cyber Coverage Today
Cyber coverage can mean different things to different people. Most commonly, cyber coverage is some combination of four components: Errors and omissions, media liability, network security and privacy. I’ll touch on all four, but go into more detail about network security and privacy, where coverage has changed most significantly.
Errors and Omissions: E&O covers claims arising from errors in the performance of your services. This can include technology services, like software and consulting, or more traditional professional services like lawyers, doctors, architects and engineers.
Media Liability: These are advertising injury claims such as infringement of intellectual property, copyright/trademark infringement and libel and slander. Due to the Internet presence of businesses today, technology companies have seen this coverage migrate from their general liability policy to being bundled into a media component in a cyber policy (or a separate media liability policy). Coverage here can extend to offline content as well.
Network Security: A failure of network security can lead to many different exposures, including a consumer data breach, destruction of data, virus transmission and cyber extortion. The culprits might be looking to shut your network down so you can’t conduct business, either for financial or political gain. Network security coverage can also apply if you’re holding trade secrets or patent applications for a client, and that information is accessed due to a failure of your security.
Privacy: Privacy doesn’t have to involve a network security failure. It can be a breach of physical records, such as files tossed in a dumpster, or human errors such as a lost laptop, or sending a file full of customer account information to the wrong email address. Companies have also faced liability from returning a photocopier with a hard drive that contained unwiped customer tax records. A privacy breach can also include an action like wrongful collection of information.
All insurers use different terminology for cyber coverage; some subdivide the four components above even further, which means that cyber policies can be very difficult to read and compare.
Network Security and Privacy Liability Coverage
What’s unique about the privacy and network security coverages is that both first-party costs and third-party liabilities are covered: First-party coverage applies to direct costs for responding to a privacy breach or security failure, and third-party coverage applies when people sue or make claims against you, or regulators demand information from you.
Some common first-party costs when a security failure or data breach occurs include:
Forensic investigation of the breach.
Legal advice to determine your notification and regulatory obligations.
Notification costs of communicating the breach.
Offering credit monitoring to customers as a result.
Public relations expenses.
Loss of profits and extra expense during the time that your network is down (business interruption).
Common third-party costs include:
Settlements, damages and judgments related to the breach.
Liability to banks for re-issuing credit cards.
Cost of responding to regulatory inquiries.
Regulatory fines and penalties (including Payment Card Industry fines).
Sublimits, Deductibles and Limits in Cyber Coverage
All of the first-party coverage elements, and the fines and penalties aspect of the third-party coverage, are typically offered as a sublimit of liability. As these coverage extensions were first introduced, the sublimits would be small – for example, a $5 million policy might have offered up to $100,000 for “breach costs” such as forensics and notification.
Another $100,000 sublimit might apply to regulatory fines and penalties. These sublimits have generally increased in recent years, and in most cases, you can get up to 50 percent of the total limit to apply to first-party costs. Some markets will offer blanket policies with no sublimits.
In addition to a dollar deductible (which ranges widely depending on the size of the policy and the company being insured), most policies include a time element deductible to trigger the business interruption coverage.
For example, a cyber policy might require that your network be impaired for more than 8 hours due to a security failure for the business interruption coverage to apply.
The total market capacity for cyber coverage currently exceeds $300 million, which is more than enough for most companies. Factors to consider in making limit decisions will be covered in a later post.
What’s Not Covered?
There are a few key items that are currently not covered in network security and privacy liability policies. These include:
Loss of future revenue (for example, in the case of Target if sales were down due to customers staying away after data breach).
Costs to improve internal technology systems.
Lost value of your own intellectual property
These topics are continually being discussed by cyber liability brokers and insurers, and policies may continue to evolve.
Data breaches and network security failures happen. In fact, IBM reportsmore than 91 million security events per year. The likelihood that your business is next is not that far-fetched. Luckily, cyber coverage has evolved from its early days as an E&O component for technology companies into a robust offering that covers both first-party and third-party costs.
Cyber Insurance 101: Network and Business Interruption
But there’s another side to cyber threats and security that is reported on less frequently, and that is what could happen if a business is unable to operate due to a cyber breach or malfunction.
This threat is being thoroughly analyzed at the national level, as the U.S. government is increasingly concerned about what might happen if a “critical infrastructure” entity experiences an interruption due to a cyber failure; think financial systems or utility/energy providers, and the resulting losses (not to mention chaos and panic) that could occur if they went “dark.”
This is what we call network or business interruption in the cyber insurance world, and yes, insurance can cover it. In this post, we’ll go over the basics of business interruption due to cyber failure, and what businesses can do to prepare.
Your Business is Likely at Risk
The “Internet of Things” continues to creep into our daily lives. More and more, devices are connected to the Internet, giving users the ability to access and control those devices remotely.
As consumers, this translates to the ability to adjust heating or cooling systems remotely, detecting a water leak in your home while on vacation or setting your DVR to record “Game of Thrones” when you get pulled into a last-minute client dinner.
Businesses are also benefitting from this trend. Old-line companies in manufacturing, transportation and others have increasingly added network connectivity to their operations. Service providers have moved all sales and CRM functions online. And obviously, many consumer-facing companies rely on a Web interface for direct sales, advertising revenue and more.
The downside is thatany business operation on a network is vulnerable to cyber attacks or failure. And this can be devastating when those operations are critical to your business. Put another way, there are very few businesses in the modern world that would not be severely crippled if their network were unavailable.
As an example, take Sabre, the online reservation system used by major airlines worldwide. Sabre has gone down from time to time, causing significant delays in air travel. Another example is the IT glitch that left customers of The Royal Bank of Scotland (RBS) without access to their accounts for more than a week.
Or, it could be something as simple as a website going down, like Amazon.com. When this happened in 2013, Amazon theoretically lost more than $66,000 per minute.
Those are all examples of where technology failing has prevented a business from operating in its normal manner.
So, What’s Covered Under Cyber Insurance?
Insurance works in many business interruption scenarios. But, the reasonwhy a network goes down is important to the insurance discussion. If a network goes down because there’s a fire, for example, rendering the servers inoperable, that’s a property insurance matter. If it is purely a network issue, then a good cyber insurance program might respond.
So we need to look at the reason for the technology failure to understand what coverage might apply.
Security Failure Business Interruption
The most “insurable” aspect under a cyber policy right now – meaning most policies can provide an option for coverage – is a network security failure leading to business interruption.
Examples include a Distributed Denial of Service or “DDoS” attack (your website being overloaded with requests organized by a malicious party) or a hacker accessing your network and deleting critical files, or adding malicious code that causes the system to fail.
Importantly, these would be failures on your own networks and systems – unlike coverage for privacy breaches, cyber business interruption coverage does not automatically extend to the cloud or outside vendors.
System Failure Business Interruption
Some insurance policies will go beyond a security failure and cover a system failure. A typical system failure definition would be an “unintentional or unplanned outage” on your network.
The failure could be due to human error, system error or both. An example would be a company upgrading their accounting system and unexpectedly causing the entire network to freeze in the process. Very few insurers offer this coverage extension now, but the market is starting to expand.
Third-Party Failures: Contingent Business Interruption
Many businesses rely on systems and networks outside their own to operate. When these systems fail, where does the responsibility lie?
As I discussed in this previous post about cyber liability and the cloud, outside vendors often contractually limit their liability for outages. The further challenge is that very few insurers are willing to cover cyber business interruption when it is caused by the failure of a cloud network (aka Contingent Business Interruption or CBI).
There are some cyber policies that will offer this coverage, however; so if a cloud failure would be catastrophic to your operations, be sure to ask about those options.
The Waiting Game: Time Delays for Coverage
Whether we are talking about security failures or system failures triggering insurance coverage, we are always talking about major outages. Businesses will typically need to wait at least six hours and often up to 12 hours before an outage is considered a business interruption “event” under a cyber policy.
Insurers want to make sure they are not covering short outages that might happen frequently.
Larger companies will typically have longer waiting periods consistent with the higher dollar deductibles they carry on other insurance policies. That’s because they can afford more loss before they need the insurance to kick in.
Obtaining Business Interruption Coverage: Be Prepared
Not everyone will be offered business interruption coverage under a cyber policy just because they have systems that are vulnerable or could fail. A business will need to apply for coverage by demonstrating to the insurer that it has a business continuity plan in place that will kick in if and when a system fails, reducing the likelihood that a short outage becomes a major problem.
So while not always easy to obtain, as coverage expands to meet the changing face of exposure and the “Internet of Things,” cyber business interruption will be an increasingly valuable tool in your cyber risk management program.
Cyber 101: Obtaining Cyber Insurance – The Process
In this post, as part of our “Cyber 101” series, we’ll review the cyber insurance application process, what to expect, and what to prepare for when obtaining cyber insurance.
The Cyber Insurance Application
For companies that haven’t purchased cyber insurance yet, it requires providing information that you may not have needed in other insurance renewals. Here, an experienced broker can guide you through what you need.
Start by selecting an application that’s industry-friendly and thorough. While it may be enticing to default to the simplest, easiest application, doing so can hamper your ability to get a good variety of quotes.
The application is going to ask a lot of technical questions around what kind of technology you use, how you encrypt data, what your audit processes are, security procedures, use of encryption, password management and employee training — and that’s just for starters.
The Information-Gathering Phase
Completing applications will require gathering information from many parts of your organization:
IT and Network Security teams are, of course, going to be necessary. You will need information about the types of technology your organization uses, the outside vendors and cloud providers that touch your networks, and details on your monitoring capabilities and third-party audits.
Finance will need to provide information on your revenues, customers, demographics and other organizational issues. They will also need to provide input into your desired program structure as you evaluate the different levels of risk transfer (premium, limits, deductibles and scope of coverage).
Legal will be asked for information on your contractual protections, such as what your customers are demanding from you, and what you are demanding of your vendors in your contracts. Underwriters are very focused on how successful companies are in limiting their liability, and how aggressively they are seeking indemnity from vendors. Legal also can provide information on your privacy policies, relationships with privacy counsel, and any breach response planning that has happened to this point.
What Insurance Companies Are Looking at Today: People and Process
In many recent high profile breach examples, the targeted companies had technology to monitor their systems, but didn’t have the people in place to review the alarms when they sounded.
Reports state that hackers had access to JPMorgan for at least two months before anyone was the wiser. That’s actually a fairly short timeframe: hackers reportedly were inside Neiman Marcus for five months, in Michaels for eight, and in Goodwill for 18 months before they were detected!
From Huffington Post:
Insurance carriers may also look at how you would handle a “Zero Day” vulnerability. These are software bugs or holes that are unknown to the vendor or creator of the software. Once discovered, it is imperative that organizations assess their technology and apply patches to close the hole before hackers are able to exploit the flaw.
The “Heartbleed Bug” was one such vulnerability discovered in early 2014. It’s estimated this has impacted about two-thirds of websites. And it’s not a hack; it’s a mistake written into OpenSSL that makes standard security encryption open to hackers.
When Heartbleed was discovered, companies ranging from Google to Amazon to Apple worked feverishly over a short timeframe to patch servers. Those companies have massive IT and network security resources, but still had to respond to the news when everyone else did. The question insurers are asking is, are you prepared to respond to the next Zero Day event?
Cyber Response Plans: Incidents and Breaches
Insurers know that all businesses face cyber risk, so a key part of the underwriting is your ability to detect and respond to a breach or network security failure. The level to which companies formalize their incident response plans vary, but underwriters will want to see that you have done a level of planning commensurate with your exposures.
For businesses that rely heavily on technology to generate revenue or process transactions:
How quickly are you able to resume operations following a network security failure or outage?
What are your back-up plans and redundancies? (Read more about how cyber insurance can respond to technology-related business interruption in a previous blog post, here).
Companies that are consumer facing need a plan that specifically responds to a data breach of consumer information. These plans should include vendors you would call on for help, including:
Law firms to advise on your legal obligations based on the nature of the breach.
Forensic IT specialists to identify the source of the breach and its scope.
Vendors to provide notification to customers and potentially offer credit-monitoring services.
Those expenses, because they are potentially covered by a cyber insurance policy, need to come from approved vendors. Some insurers offer more flexibility in vendor choice, while other carriers will insist that you use their preselected vendors.
That’s why it is important to learn during the application process if your legal and IT groups have already established relationships with these vendors.
Providing Follow-Up Information
Once you’ve gathered all the information, that’s the point where your broker will make a formal submission to insurers and eventually narrow down the list of underwriters that are interested in providing coverage.
Those insurers will often have additional questions, which may be handled via conference calls or in-person meetings. Be sure to prep all departments that may not be used to having these types of conversations – IT could very well be one of those departments.
Ask for samples, in advance, of the types of questions they’ll be asked, and the types of answers that should be provided. This is not a deposition, so “yes” and “no” answers without context are not very helpful. On the other hand, extremely technical responses with lots of jargon may be too much detail.
Evaluating Cyber Insurance Quotes
Once you’ve satisfied the insurer questions, hopefully you’ll have several quotes to choose from. Deciding between different insurers is a complicated analysis, and your broker will need to break the quotes down in detail. Don’t just look at the pricing. Pay attention to key differences, including:
Extra coverage grants (first party, business interruption, data restoration, cyber extortion)
We’ve talked about many of the above items in prior posts, but it’s worth taking a moment to focus on the importance of prior acts coverage.
Cyber liability is almost always written on “claims-made” insurance contracts. This means that it will respond to “claims” that are “made” during that policy period. A particular feature of claims-made policies is that they usually contain a retroactive date, which limits coverage to claims arising out of events or acts that occurred after a certain date.
The first time you purchase coverage, that date is typically set at the policy inception date. In future years, you can hopefully keep that “prior acts” date, so the retroactive period gets longer and longer.
The challenge with prior acts and cyber coverage is clear from the above example about how long hackers might be inside a system before being detected.
Let’s say you first buy a cyber policy in January 2015. In March 2015, the FBI contacts you with a warning: they believe your systems have been breached. Upon further investigation, you learn that the breach was kicked off in July 2014 when your CEO unknowingly fell victim to a phishing attack, and gave his password to a hacker posing as a member of your IT group.
Without prior acts coverage, the insurer can argue that the entire breach is based on an “act” that occurred before you first purchased coverage. Some insurers are willing to offer a year or two of backdated prior acts coverage on a new policy, but always for an additional premium.
If you can get that option – take it. The policy will be infinitely more valuable as a result. Many insurers have stopped offering this option, however, particularly for retail and hospitality risks, given the frequency and severity of recent attacks in those sectors.
Binding Cyber Coverage
In all cases, before binding coverage, you will have to sign a statement affirming that you are not aware of any circumstances that are likely to give rise to a claim under the policy.
This may be obvious – you can’t insure against a breach that you already know about. But make sure that you understand the scope of that warranty statement, and how widely you are obligated to “poll” to answer the question.
In sum, buying cyber insurance for the first time is probably more complex and time consuming than other insurance procurement. Many companies find, however, that the process can lead to improved communication amongst your legal, IT, finance, and risk management teams in this critical risk area, and to a better overall understanding of the cyber risks faced by your organization.