View non-flash version
INSURING CYBER RISKS Insurance can play a key role as companies search for bet- ter ways to manage and reduce their potential fi nancial losses from cyber-attacks. It’s important to know that most tradi- tional insurance products such as property and general liabil- ity do not cover claims stemming from cyber events (such as hacking). And, to avoid future coverage disputes, more poli- cies are incorporating “exclusions” to clarify that cyber protec- tion is not offered by the policy. The Lloyds of London have already incorporated an Institute Cyber Attack Exclusion Clause (CL 380) into most of the marine policies they issue. Why? It’s not that insurers are refusing to offer coverage for this business risks. It’s just that these new and emerg- ing technology risks need to be addressed differently than other business risks. Hence, a whole new cyber liability insurance market is developing quickly to do so. Currently, available cyber liability insurance focuses on two types of risk: fi rst-party and third-party risks. Avail- able fi rst-party coverage includes loss of business income resulting from a data breach, the cost of repairing and re- storing computer systems if there is a virus that destroys business software and data, costs associated with forensic analysis and crisis management to respond to a data breach incident. First-party coverage reimburses the insured for the costs of notifying the individuals whose information was or may have been breached. Some of these policies will even cover the cost of setting up ID theft monitoring services for the potential victims. Third-party risks such as data breach incidents result from unauthorized access to information or personally identifi able non-public information like bank account numbers, credit card numbers or Social Security numbers. Third-party insurance covers the fi nancial damages an identity-theft victim might incur from the breach. In purchasing cyber insurance, it’s important to remem- ber that there are no off-the-shelf cyber liability policies. Each policy is tailored to meet the specifi c needs of in- dividual clients. Insurers have extended their coverages to include a wide range of cyberliabilty coverage under one policy form, including network security liability, media content liability, privacy liability, extortion threat, busi- ness interruption, credit monitoring, privacy notifi cation costs, and regulatory fi nes. Some cyber liability policies will cover social media risks, crisis management, and data restoration. Coverage can include direct and indirect costs associated with a breach, ranging from breach notice costs to damages and defense costs. Cyber liability coverage has greatly evolved since the fi rst products were introduced to the market in the late 90’s, and is still evolving. Insurers are working hard to keep pace with new technologies and the risks that accompany them. There is growing concerns about physical damage that cyber-attacks could potentially cause. Additionally, insur- ers are looking to see how cyber coverage can help protect intellectual property losses and reputational damage. The cyber liability risks of today will be markedly different to- morrow and so, too, will available insurance coverage. BOOSTING SECURITY While a growing cyber insurance market is available to provide coverage, still a company’s fi rst line of protection is its own risk management efforts. Companies need to rec- ognize that they have tremendous potential risk and need to invest in practices and protocols that can boost their online security. Many insurers work with outside security vendors to provide their clients with access to pre-qualifi ed services such as network assessment analyses that is cus- tomized to meet a company’s specifi c needs and budget. These services test a company’s vulnerability to breaches. Employees play a signifi cant role in staving off cyber risks. It’s important to educate and continuously remind employees of, not only their vulnerability to cyber breach- es, but the companies. One lost company laptop can wreak havoc therefore, companies are wise to: Train employees and contractors to understand their responsibility in the protection of data assets. Ensure that mobile devices are encrypted and that employees understand the organizations’ policies with respect to downloading sensitive information and working remotely. Make employees aware of the precautions that should be taken when traveling with laptops, PDAs and other data bearing devices. In the whole scheme of things, cyber insurance policies and an investment in more proactive cyber security may be very inexpensive when compared to the potentially enor- mous costs associated with any kind of data breach. As world commerce becomes ever more global and intercon- nected and dependent on technology, protecting physical assets, information and privacy is going to be a bigger risk management priority for all industries. Christopher Cooke is Vice President of General Liability for XL Group’s North America Marine business. John Coletti is Chief Underwriting Offi cer of XL Group’s Cyber and Technology business. MN 19www.marinelink.com MN Oct14 Layout 18-31.indd 19 9/18/2014 3:27:57 PM