Thought Leadership

On a regular basis, key insurers and service providers to The Fedeli Group provide us with research studies and analysis pertaining to both our industry and broader economic trends.   From time to time we will share with you key reports that we believe provide valuable perspectives on how to better manage your business during this period of rapid economic, technological, and demographic change.

Cyber Protection / Cyber Security Liability

Posted By: Ed Kraine, CPCU, Senior Vice President and Tim Moroney, Risk Manager
Wednesday, February 01, 2012

Cyber Security Edit 2

The dawn of the internet provided many new avenues for doing business, and the protection of computer data has become a main concern in today's working environment.

"Cyber Liability," as it is called, encompasses a gamut of new risks for businesses that not only conduct business over the internet, but that also may store private confidential information subject to several federal laws.

To provide some insurance protection for these new risks, most insurance companies have developed cyber security liability policies which cover both first party "the insured" and third party liabilities which can arise because of attacks by outside parties or because of losing of sensitive data due to mistakes on the part of the insured.

Up until a few years ago, these policies were available under most property and general liability policies. However, since 2005 the loss of intangible property has been excluded under standard property policies; likewise, bodily injury or property damage, previously covered under the general liability policy, is also excluded if it emanates from a cyber breach or error.

Some examples of the claims that have occurred are as follows:

Theft of Digital Assets

A regional retailer contracted with a third party service provider. A burglar stole two laptops from the service provider containing the data of over 800,000 clients of the retailer. Under applicable notification laws, the retailer- not the service provider-was required to notify affected individuals. The total expenses incurred for crisis management notification of customers cost nearly $5 million.

In a second example a home health care organization had backup data, laptops and disks containing social security numbers, clinical and demographic information. In a small number of cases, patient financial data was stolen. In total, over 365,000 patient records were exposed. The organization settled with the State Attorney General and provided patients with free credit monitoring, credit restoration to patients that were victims of identity fraud, and reimbursement to patients for direct losses that resulted from the data breach.

Human Error

An employee of a private high school mistakenly distributed via email the names, social security numbers, birth dates and medical information of students and faculty creating a privacy breach. Overall, 1,250 individuals' information was compromised.

Malicious Code

A juvenile released a computer worm that caused a launch of denial of service attack against a regional computing consulting and application outsourcing firm. The infection caused an 18 hour shut down of the entity's computer systems. The computer firm incurred extensive cost and expenses to repair and restore their systems, as well as business income expenses which totaled approximately $875,000.

The cyber liability policy is sufficiently flexible so that a business can buy either third party or first party coverages, or both. Here is an example of how the language in a carrier's insurance policy protects first party assets:

Loss of Digital Assets

"We will indemnify you for loss you incur, in excess of the deductible, as a result of damage, alteration, corruption, distortion, theft, misuse, or destruction of your digital assets directly caused by a covered cause of loss". In this case, digital assets mean electronic data and computer programs that exist in a computer system. Please note that digital assets do not include computer hardware. In addition to this, protection can be provided for the business income loss that may result from any direct first party claims.

Here is an example of the coverage grants available for third party protection under a typical insurance carrier's policy:

Network Security and Privacy Liability Coverage

The insurance company "will pay on your behalf those amounts, in excess of the applicable deductible, which you are legally obligated as damages on claim expenses arising from your acts, errors or omissions or from acts, errors or omissions for others for whom you are legally responsible, including outsourcers, or vendors provided such acts, errors or omissions follow a security breach or privacy breach". An example of this claim is the loss of a laptop containing sensitive information, which results in the public disclosure of a person's private information. Also, this insuring agreement would cover unauthorized access into your computer system, a denial of service attack against your computer system, or an infection of your computer system by malicious code.

There are a number of other coverage protection grants available on most policies, which The Fedeli Group, after an assessment of your risks, can review with you. Please contact The Fedeli Group team to arrange for this type of risk assessment and possible valuable insurance protection.

 

© 2012 The Fedeli Group All rights reserved.