- By: Nathan Ulery
Help your clients protect one of their most important assets: their information
Google, Facebook, Amazon, LinkedIn. There are many times we’d like to be associated with these organizations, but not all of the time. Each of these companies has had their databases attacked—disclosing private information about customers and costing millions of dollars in remediation, credit monitoring, and lawsuits. Additionally, requirements to disclose breaches proactively to impacted customers can compound the damage by tarnishing their reputations.
These events highlight a less positive impact of the evolving focus on customer experience and demand for Internet-based transactions: the complexities of security and cyber liability.
Why the concern?
The 2013 Data Breach Investigations Report, released by Verizon, reveals the following statistics:
Who are the victims? (27 different countries are represented)
- 37% of breaches affected financial organizations (+)1
- 24% of breaches occurred in retail environments and restaurants (-)
- 20% of network intrusions involved manufacturing, transportation, and utilities (+)
- 20% of network intrusions hit information and professional services firms (+)
- 38% of breaches impacted larger organizations (+)
How do breaches occur?
- 52% used some form of hacking (-)
- 76% of network intrusions exploited weak or stolen credentials (-)
- 40% incorporated malware (-)
- 35% involved physical attacks (+)
- 29% leveraged social tactics (+)
- 13% resulted from privilege misuse and abuse
What is cyber liability insurance?
Cyber liability insurance addresses the risk associated with e-business, the Internet, networks, and information assets. It takes into account both first-party (trade secrets, intellectual property, web-contents) and third-party (customer) data and information.
Who needs cyber liability insurance?
Simply put, every company that needs to protect its proprietary information and its users’ information from data breaches would benefit from cyber liability insurance. Organizations need to view information as an asset and safeguard it at least as much as, if not more than, physical assets that are easier to replace. Regulatory disclosure requirements make data breaches damaging to company reputations because even when no customer impact exists or is expected, the fact that a breach occurred often requires a disclosure.
As the statistics above suggest, the stakes are high for all business owners, regardless of size. Unfortunately, small companies tend not to feel as vulnerable as larger organizations, signaling a potentially underserved market.
Why it’s too late to start investigating coverage after an attack
Data breaches may have limited coverage under general liability and Director and Officer (D&O) policies. In question is the interpretation of whether or not software and data is considered a “tangible property” because it has no physical substance and is therefore, not covered under commercial general or umbrella liability policies.
One of the highest profile cases involves the 2011 cyber-attack on Sony, during which an estimated 100 million customer accounts were compromised. The attack cost $200 million and involved 58 class-action lawsuits. The insurer filed a lawsuit against Sony and several other insurers, seeking to avoid coverage under its Commercial General Liability (CGL) policy for the network breach on the basis that unauthorized access to and theft of personal identification and financial information are not claims for “bodily injury,” “property damage,” or “personal and advertising injury.”
There are no winners here, but this type of situation can be avoided if clients understand how insurers and courts view data and information.
What can you do?
Cyber liability issues present significant education and sales opportunities with your clients. Some steps you can take include:
- Helping clients understand what is and is not included in their current policies
- Highlighting clients’ gaps in processes and security controls
- Advising on leading practices for addressing areas of greatest vulnerability—for example, weak passwords, stolen credentials, and unencrypted sensitive data
- Introducing cyber liability coverage as part of your overall risk program
• A plus (+) sign indicates either a 10% or greater increase from the previous year’s report
• A minus (-) sign indicates a 10% or greater decrease from the previous year’s report
• Measurements without an indicator showed no significant change