Security breaches such as physical, network, system security and data breaches can happen to any company, regardless of industry or size. Recently, we’ve seen breaches at the U.S. Office of Personnel Management, Target, Anthem, Sony, Home Depot and JPMorgan Chase. A thought-provoking rendering of the “World’s biggest data breaches through hacks through October, 2015” can be viewed below. The scope of these data breaches has touched not only businesses, but countless individuals whose data has been breached throughout the world. Visualizations – World’s Biggest Data Breaches via Hacks, Courtesy of David McCandless at InformationIsBeautiful.net
Financial institutions are often in possession of and responsible for sensitive information including personal identifying information, which makes them prime candidates for those looking to acquire such data.
As a small business working with financial institutions, legal firms and commercial entities looking to evaluate potential borrowers or investigate the financial position of individuals or companies for recovery purposes, we have had to look for additional ways to protect our business as well as our clients’ interests. One such area has been to ensure that we have appropriate insurance for our business.
In years past, it was sufficient for a business to have a General Liability policy, an E & O policy and a Workman’s Comp policy; however as a service provider, part of our current due diligence is to now carry a Cyber Liability policy. Consider the following three views on the topic from PwC, Cavignac & Associates and Insureon.
“Although Cyber insurance does not, by itself, protect a business from data breaches, it does typically cover both damage and liability stemming from attacks that could damage, corrupt or disclose specific classes of data or technical infrastructure – risks that are typically excluded from traditional commercial liability coverage.” (PwC, “Managing cyber risks with insurance," June 2014)
“Cybersecurity is not just an IT issue but an enterprise risk management issue. As with any major business risk, companies should consider cybersecurity insurance as a way to transfer risk and mitigate potential losses.” (Cavignac & Associates, Best Practices Annual Cyber Insurance Reviews, 2015)
“The risk of data breaches is real. Many small business owners may not think they need this type of insurance, but start ups and small businesses are actually the most vulnerable to security threats. Thousands of small businesses handle sensitive customer credit or bank account information daily, and many are also responsible for protecting personal identifiable information (Social Security, driver’s license and other sensitive data). All it takes is one careless mistake by an employee, unauthorized access by a former employee or vendor, unshredded document, skilled hacker, or stolen laptop, and your company could suddenly face an unprecedented legal and financial challenge. Combined with strong security measures, cyber liability coverage is a cost-effective way to mitigate that risk.” (Insureon.com/products/cyber-liability)
According to the National Association of Insurance Commissioner & the Center for Insurance Policy and Research (NAIC), “managing cyber risks through insurance is relatively new. Although the market for cyber liability insurance is off to a good start, it is expected to grow dramatically over time as businesses gradually become more aware that current business policies do not adequately cover cyber risks. As data breaches occur more frequently, there are additional pressures for businesses to step up efforts to protect the personal information in their possession. Cyber attacks may come from nation states, terrorists, criminals, activists, external opportunists and company insiders (both intentional and unintentional). Cyber criminals attack to gain some type of political, military or economic advantage. They usually steal money or information that can be eventually monetized, such as credit card numbers, health records, personal identification information and tax returns.”
NAIC's list of Cyber risks includes:
- Identity theft as a result of security breaches where sensitive information is stolen by a hacker or inadvertently disclosed, including data elements such as Social Security numbers, credit card numbers, employee identification numbers, drivers’ license number, birth dates and PIN numbers.
- Business interruption from a hacker shutting down a network.
- Damage to the firm’s reputation.
- Costs associated with damage to data records caused by a hacker.
- Theft of valuable digital assets, including customer lists, business trade secrets and other similar electronic business assets.
- Introduction of malware, worms or other malicious computer code.
- Human error leading to inadvertent disclosure of sensitive information, such as an email from an employee to unintended recipients containing sensitive business information or personal identifying information.
- The cost of credit monitoring services for people impacted by a security breach.
- Lawsuits alleging trademark or copyright infringement.
The NAIC also states that securing a Cyber Liability policy will not be a simple task. Insurers writing this coverage will be interested in the risk management techniques applied by the business to protect its network and its assets. The insurer will probably want to see the business’ disaster response plan and evaluate it with respect to the business’ risk management of its networks, its website, its physical assets and its intellectual property. The insurer will be keenly interested in how employees and others are able to access data systems. At a minimum, the insurer will want to know about antivirus and anti-malware software, the frequency of updates and the performance of firewalls.
Continued on Page 2...