Manage the Risks You Know: Cyber Protection/cyber Security Liability
| Ed Kraine
The dawn of the internet provided many new avenues for doing business, and the protection of computer data is a main concern in today’s working environment.
“Cyber Liability,” as it is called, encompasses new risks for companies that not only conduct business over the internet, but that also may store private, confidential information subject to several federal laws.
To provide insurance protection for these new risks, most insurance companies have developed “cyber security liability policies” which cover both first party “the insured” and third party liabilities which arise because of attacks by outside parties because of the loss of sensitive data due to hacking or invasion by others. Since 2005 the loss of “intangible property” has been excluded under standard property policies; likewise, bodily injury or property damage, previously covered under the general liability policy, is also excluded if it emanates from a cyber-breach or error.
The most damaging risks both from a financial and reputational standpoint involve the loss of protected information you store in your system. HIPAA “Protected Health Information” (PHI) includes: any information, oral or recorded in any form or medium that relates to present, future, or past physical or mental health of an individual, and can include, but is not limited to telephone and fax numbers; email addresses; social security and medical record numbers; both plan beneficiary numbers; account numbers and other identifiers.
The most frequently purchased protection today is network security and privacy liability coverage. The carrier pays on your behalf amounts you are legally obligated to pay….following a security or privacy breach. This is an unlimited and non-measureable, unfunded risk, unless you purchase this protection.
Another insuring agreement will reimburse you for expenses to monitor and notify claimants as a result of the above breach. It is known as event management protection.
“First Party” claims are less common, and the protection is designed to reimburse you, the client for an interruption in your network; an extortion event; actual loss of digital assets, and regulatory violations on your part.
One carrier can provide reputation protection, and is subject to a “sublimit” or smaller amount of coverage than the overall policy.
Theft of Digital Assets (Example)
A regional retailer contracted with a third party service provider. A burglar stole two laptops from the service provider containing the data of over 800,000 clients of the retailer. Under applicable notification laws, the retailer – not the service provider-was required to notify affected individuals. The total expenses incurred for crisis management notification of customers cost nearly $5million.
Malicious Code (Example)
A juvenile released a computer worm that caused a launch of denial of service attack against a regional computing consulting and application outsourcing firm. The infection caused an 18 hour shut down of the entity’s computer systems. The computer firm incurred extensive cost and expenses to repair and restore their systems, as well as business income expenses which totaled approximately $875,000.
The Fedeli Group can counsel and help explain to you the risks and protection solutions available in this ever-growing area of business risk.