Cyber Liability: Managing the Risks
By Jeffrey W. Cavignac
Flash back to 1992: I had just started our company and bought my first computer — a Gateway 33 mhz. There was no such thing as a “cyber liability” insurance policy. Most business people didn’t know what a Website was, and the term “security breaches” might have created images of “Mission Impossible.”
Flash forward to 2011, and issues arising out of data security, management of confidential information and infringement of intellectual property rights are all considered major exposures. We have become so interconnected that the opportunity for catastrophic loss has escalated dramatically.
While the early “hackers” seemed to be merely challenging themselves intellectually to see what type of mischief they could cause, today’s hackers have serious criminal intent in mind. Terrorists, organized crime and the random computer geek working alone are making cyber crime a growth industry. Since 2005, according to Privacy Rights Clearinghouse, over 263 million data records of U.S. residents have been exposed to security breaches.
Risk Analysis
Step one is identifying assets or circumstances that could give rise to a loss. This also is known as “exposure analysis,” and the assets or circumstances are referred to as “loss exposures.”
Potential damages include loss a company’s data and the cost to restore it, the cost of defending against or settling a third party claim, the cost of cyber extortion, damage to reputation, the cost to notify individuals whose personal information may have been compromised and the cost to pay for credit monitoring for those individuals if required by law.
Nearly every state (including California) now requires businesses that have compromised an individual’s information to notify that individual. One study of larger companies estimated the cost of a data breach at $204 per compromised record. The same study calculated the average cost of a data breach at $6.75 million.
Risk Control
Understanding what your exposures are is the first step. The second step is to determine how you can manage these exposures. In other words, identify what you can do to lower the likelihood of a cyber liability claim or the severity of a claim if one happens.
There are many companies today that specialize in helping businesses manage and protect both their own data and the data of their customers. But the key is to centralize IT management and develop enforceable policies and procedures across your network. These policies and procedures should be periodically checked to see if, in fact, they are being followed. In the event of a suspected or actual breach, it is important to take action as soon as possible and, if necessary, call in an IT security specialist.
Is This Risk Insurable?
Although evaluating, selecting and implementing risk control strategies are critical to reducing the frequency and severity of cyber liability exposures, insurance also can play a role. As these exposures have evolved, so has insurance coverage. Although the Insurance Services Office (ISO) created a “standard” policy in November 2009, most of the policies on the market today are unique to the company offering the coverage.
These policies include both first party and third party coverages. First party coverage indemnifies you for the costs you incur to repair or replace damage caused by a covered peril; third party coverage includes the cost to defend against and settle a third party claim, including regulatory actions. These policies commonly include coverage for some or all of the following exposures:
Website Publishing Liability
Security Breach Liability
Programming Errors and Omissions Liability
Replacement or Restoration of Electronic Data
Extortion Threats
Business Income and Extra Expense
Public Relations Expense
Security Breach Expense
What Does It Cost?
Cost can vary dramatically depending on the type of business, type and volume of information on file and other factors. Since this is a relatively new type of coverage, there is not an adequate database on which to calculate rates. Most companies offering the coverage are pricing their programs based on what they believe the exposure to be and what they think they can charge. Prices for smaller firms (less than 50 employees) will probably be in the $1,000 to $10,000 range. Larger firms might expect to pay $15,000 to $25,000.
Best Practices
Every firm, regardless of size, should evaluate their exposure to cyber liability. It should also be determined what steps can be taken to manage this type of potential claim. Finally, you should obtain a quotation for coverage. Even if you elect not to purchase the coverage, you should know the cost and make the conscious decision not to buy it as opposed to assuming you don’t want to afford it.
Jeff Cavignac is president and principal of Cavignac & Associates, a San Diego-based commercial insurance brokerage firm located at 450 B St., Suite 1800, in San Diego. More information about the company can be found at cavignac.com.