In today’s business world, digital information is fundamental to everyday operations. Whether it’s financial applications, email communications, supply chain management, content management, sales order processing or customer relationship management systems, data is the backbone of business. The more reliant a company is on digital data, the lower its tolerance is for any interruption in application or data availability caused by cyber threats.
The recent rise in high-profile cyber incidents, such as computer viruses, data theft, identity theft and other cyber crimes, makes it critically important to keep data secure, available and organized.
What happens when a data loss or breach occurs? More specifically, what are the implications from an insurance standpoint?
Consider these scenarios:
- Your client owns a small business and one of its employees accidently opens up an email that has a computer virus attached to it. The virus crashes the company’s computer network but not before spreading itself to everyone in its contact list, including all customers. As a result, one of your client’s customers gets the same virus, wipes out his whole network, and now the customer is suing your client for damages.
- Your client runs a nonprofit organization. Their website gets hacked by a virus and it corrupts all of their content then emails a virus link to all their donors. They rush to take the site down but not before a lot of damage was done, plus they now must spend thousands of dollars to have the computer network and website rebuilt. Meanwhile, several major donors are not pleased with the way things were handled, so your client has lost a huge chunk of sponsorship (income).
- A disgruntled former employee logs into your client’s network and blocks access to the company website so its customers cannot access their accounts nor do business. After two weeks of this, everyone is upset because they cannot operate normally and your client is losing customers by the hour. Not only have they lost customers but now they also can’t get them back, and some are suing for damages.
What do these three scenarios have in common? None of the losses would be covered under typical business insurance policies.
The Insurance Service Office’s Building and Personal Property Coverage Form, which covers damage to property, covers loss of data but only up to an annual limit of $2,500.
Commercial general liability policies cover claims against your clients for damage to others’ property, but damage to data is specifically excluded. Not only is the damage to data excluded, but damage (including bodily injury) caused by a loss of data is specifically excluded as well. This means the full financial impact of these scenarios would fall directly on your clients’ business.
Times have certainly changed, and most businesses aren’t prepared for these scenarios. Yet they are happening everyday at an alarming rate with more privacy and security breach headlines in the news, and that’s only a small portion of what is actually happening but is not reported.
According to the Cincinnati Insurance Board, most companies, particularly small businesses, are woefully unaware of the implications of cyber threats.
“Cyber losses are increasing, and the cost to recover from a data breach can be staggering,” said the Board’s Executive Vice President Ron Eveleigh. “At this time, coverage is limited for these cyber losses, but the coverage is evolving. Some policies will provide limited coverage for broad data and privacy breaches but, right now, the majority of commercial general liability policies need a specific endorsement for cyber peril coverage.”
How to Avoid Losses
There are three things agents should do to help their customers avoid major losses caused by cyber-related threats.
Do a review with your clients of their businesses cyber risks. “Be sure to inquire of any e-commerce activity that their businesses do and what kinds of and whose information they store on their network,” said Brian Fey, vice president of Fey Insurance Services, Oxford, Ohio. “This would even include any information on subcontractors who do some of their e-commerce activity or help in running or maintaining the computer network. At the same time, be sure to review their current coverage and see what possible gaps exist in their current plans as it pertains to covering cyber threats unique to their way of doing business.”
Discuss “cyber-risk” coverage for loss of or damage to data. “Be sure to ask not only about coverage for loss of their data, but also for their liability for loss of others’ data, as well as the damage that can be caused by the loss of data,” said Martin Dvorchak, consultant for CORE Risk Services, a Cincinnati-based Risk Management and Disaster Recovery firm.
“Endorsements and/or policies to cover data are readily available. There are many versions of so-called “cyber liability” policies available in today’s marketplace, and it is important to carefully review terms and conditions to make sure such a policy will do what they expect if and when it is needed,” Dvorchak added. “Unless they’re making buggy whips on a cash-only basis, they need some form of this coverage to protect their business. Covering these exposures is probably more affordable than they think, and it’s certainly more efficient than paying for damages out-of-pocket.”
Have a data security risk assessment performed by an IT professional who specializes in data security. This will help discover the strengths and weaknesses of data handling processes and fix them before something bad happens. A thorough risk assessment along with adopting best practices demonstrates that a business has exercised due diligence, and when properly documented, can serve as an “affirmative defense” when a cyber threat impacts their employees or customers.
As the saying goes, “an ounce of prevention is worth a pound of cure.” This is especially true for cyber perils. Each of these pointers can be the difference between business continuity and business failure for your customers in the event of a cyber-related incident.