Cyber risk entails more than you think. Given the latest reported data breach from Yahoo (again), people constantly think of hackers when they hear “cyber risk." It is important for executives whose responsibilities include protecting the financial welfare of their companies to understand that cyber risk goes much deeper than the highly publicized security/data breach.  Learning all facets of cyber risk, ways to protect a company’s data infrastructure and financial well being and what remedies are available in the event of a loss, are all paramount to any financial executive in today’s digital world.

If cyber risk isn’t just data breach, what exactly does cyber risk involve? In addition to intentional hacking, cyber risk can include accidental loss of employee or client data, actual physical damage to computers, servers or other networking materials, or even lawsuits resulting from web activities. Comments made on public websites by an executive or employee, inaccurate or libelous statements made online, and a third party sustaining losses from a virus picked up from a company website, can all be considered “cyber risk”. The potential scenarios presented are not an exhaustive list of risk possibilities, but it is safe to say that if your company operates online - including accepting payments, storing/transmitting data, or using social media or web pages to advertise, analyzing your cyber risk should be a top priority.

Proactive IT security measures including implementing security tools, disaster recovery plans and training employees on policies and procedures are essential to mitigating cyber risk.  Many companies already take these precautions.  According to a September 7th, 2012 published report, 8 Surprising Disaster Recovery Stats by CRN.com, “Only 51% of small businesses have an IT business continuity plan…compared to 74% of large businesses.”  Furthermore, downtime created by disasters such as fires (26% of the time), human error (60%), server room issues (44%) and power outages (29%) lasted on average of 2.2 days and cost the companies $366,363 a year.   While having disaster recovery procedures in place to mitigate downtime is essential, these plans don’t take into account recuperating lost revenue, money spent on fixing the problem and possible branding damage.  This is where learning remedies available to companies in the event of a loss become vital.

The first step is to analyze your exposures to loss, considering the type of business you are involved in.  For example, if you have a media company, you should have cyber risk coverage that guards against digital copyright infringement and libel suits.  If you are in the  healthcare industry and are subject to HIPPA laws, you need to have cyber risk insurance that covers breach or negligence events.  After your consideration of the potential exposures, review your current insurance for coverage for loss of equipment, media, business income loss, etc. Often, the standard property and general liability policies provide some coverage that addresses some of your exposures, but more likely, there may be gaps that need to be addressed.

Keep in mind that we are available to assist you in addressing your exposures, and developing an insurance and risk management program to address them

Security and Privacy Liability Insurance protects the insured from loss due to a security failure or privacy event.  Security Failure is defined as:

(1) a failure or violation of the security of a Computer System including, without limitation, that which results in or fails to mitigate any unauthorized access, unauthorized use, denial of service attack or receipt or transmission of a malicious code;

(2) physical theft of hardware controlled by a Company (or components thereof) on which electronic data is stored, by a person other than an Insured, from a premises occupied and controlled by a Company; or

(3) failure to disclose an event referenced in Sub-paragraphs (1) or (2) above in violation of any Security Breach Notice Law.

“Security Failure” includes any such failure or violation, resulting from the theft of a password or access code from an Insured’s premises, the Computer System, or an officer, director or employee of a Company by non-electronic means in direct violation of a Company’s specific written security policies or procedures.  

Privacy Event is defined as:

(1) any failure to protect Confidential Information (whether by “phishing,” other social engineering technique or otherwise) including, without limitation, that which results in an identity theft or other wrongful emulation of the identity of an individual or corporation;

(2) failure to disclose an event referenced in Sub-paragraph (1) above in violation of any Security Breach Notice Law; or

(3) violation of any federal, state, foreign or local privacy statute alleged in connection with a Claim for compensatory damages, judgments, settlements, pre-judgment and post-judgment interest from Sub-paragraphs (1) or (2) above.

Event Management provides coverage for costs the insured incurs as a redult of the above referenced Security Failure or Privacy Event. Loss for this coverage part is defined as:

the following reasonable and necessary expenses and costs incurred by an Insured within one year of the Security Failure or Privacy Event:

(1) to conduct an investigation (including a forensic investigation) to determine the cause of the Security Failure or Privacy Event;

(2) for a public relations firm, crisis management firm or law firm agreed to by the Insurer to advise an Insured on minimizing the harm to such Insured, including, without limitation, maintaining and restoring public confidence in such Insured;  

(3) to notify those whose Confidential Information is the subject of the Security Failure or Privacy Event and advise of any available remedy in connection with the Security Failure or Privacy Event, including, without limitation, those expenses and costs for printing, advertising and mailing of materials;

(4) for identity theft education and assistance and credit file or identity monitoring;

(5) for any other services approved by the Insurer at the Insurer’s sole and absolute discretion;

(6) to restore, recreate or recollect Electronic Data; or

(7) to determine whether Electronic Data can or cannot be restored, recollected or recreated.

Provided, however, Loss shall not include compensation, fees, benefits, overhead or internal charges of any Insured.

Media Content Insurance- protects the insured for any Wrongful Act during the gathering, collection, broadcast, creation, distribution, exhibition, performance, preparation, printing, production, publication, release, display, research, or serialization of material, which results in:

(1) infringement of copyright, title, slogan, trademark, trade name, trade dress, mark, service mark, service name, infringement of domain name, deep-linking or framing, including, without limitation, unfair competition in connection with such conduct;

(2) plagiarism, piracy or misappropriation or theft of ideas under implied contract or other misappropriation or theft of ideas or information; including, without limitation, unfair competition in connection with such conduct;

1. invasion, infringement or interference with rights of privacy or publicity, false light, public disclosure of private facts, intrusion and commercial appropriation of name, persona or likeness; including, without limitation, emotional distress or mental anguish in connection with such conduct;

   1. defamation, libel, slander, product disparagement or trade libel or other tort related to disparagement or harm to character or reputation; including, without limitation, unfair competition, emotional distress or mental anguish in connection with such conduct;

   2. wrongful entry or eviction, trespass, eavesdropping or other invasion of the right to private occupancy, or false arrest, detention or imprisonment or malicious prosecution; including, without limitation, any emotional distress or mental anguish in connection with such conduct;

   3. negligent or intentional infliction of emotional distress, outrage or prima facie tort in connection with Material; or

   4. Loss because a third party, which has no ownership relationship with any Insured, acts upon or makes a decision or decisions based on the content of the Material disseminated by an Insured or with an Insured’s permission.

Network Interruption Insurance- provides coverage for loss that occurs as a result of a security failure. Loss is defined as the below listed costs incurred within 120 days after the end of a Material Interruption (or 120 days after the Material Interruption would have ended if an Insured exercised due diligence and dispatch):

(1) costs that would not have been incurred but for a Material Interruption; and

(2) the sum of all of following, which shall be calculated on an hourly basis:

(a) Net Income (Net Profit or Loss before income taxes) that would have been earned; and

(b) Continuing normal operating expenses incurred, including payroll.

“Material Interruption” means the actual and measurable interruption or suspension of an Insured’s business directly caused by a Security Failure.

Cyber Extortion Insurance- provides coverage for the insured that the insured incurs as a result of a security threat. A security threat is defined as: any threat or connected series of threats to commit an intentional attack against a Computer System for the purpose of demanding money, securities or other tangible or intangible property of value from an Insured.

Do you read your insurance policy?  Not many people do, as they rely on their insurance brokers or agents to do the “dirty work” for them. Generally, this is not a good practice to follow when purchasing insurance, and is equivalent to purchasing a car without knowing the mileage, year and past mechanical issues of the vehicle.  Remember: your insurance policies are a contract, and it is imperative to know what exactly you are covered for and if the policy responds to the needs that led you to purchase insurance for in the first place.

While reading your insurance policy can be difficult, so much so that more than half of the states in the US have enacted “readability” laws for insurance policies, it is a task that must be done to make sure you are getting what you paid for.  Most policies have a Schedule of Forms and Endorsements page and follow the D.I.C.E model, which stands for Declarations, Insuring agreement, Conditions and Exclusions.  Once you understand the functions of each of these sections, you will be well on your way to understanding your policy and making sure you know what you are covered for.

Schedule of Forms and Endorsements Page

This page is like a table of contents for your policy, except instead of it giving the page number the form will be found on, it simply gives you the form number that is included in your policy.  This page lists the forms that are included and made a part of your policy.  Think of it as an abstract summary of your policy.

Declarations

If you don’t read any other section in your insurance policy, at the very least you want to read this.  In some ways the Declaration Page summarizes your policy.  It includes important information, such as your address and contact information, and the information of your carrier and broker, but most importantly it is explains what is insured, for how long and up to what limits.  It is incredibly important to review this page, and if anything is incorrect, bring it to the attention of your carrier or broker immediately.

Insuring Agreement

This section begins the nitty-gritty details of your policy.  It states what the insurance company is agrees to pay, up to what limits and details when the occurrence must have happened for the insurer to pay.  You will find multiple insurance agreements within the same policy, each applying to a different type of coverage.  For example, for a Commercial General Liability policy you may see COVERAGE A BODILY INJURY AND PROPERTY DAMAGE LIABILITY, followed by insuring agreement and exclusions, COVERAGE B PERSONAL AND ADVERTISING INJURY LIABILITY followed by insuring agreement and exclusions and COVERAGE C MEDICAL PAYMENTS, followed by insuring agreement and exclusions.  It is in this section that the “legal banter” begins, so you may have to read the section a couple of times before it is fully understood.

Conditions

The conditions section of your policy will be its own form and will discuss circumstances that will be applied to the entire policy.  The following are examples of certain conditions that may or may not apply to your own policy:

• The proper steps to take to cancel the policy by either the insured or the insurer

• How changes can be made to the policy

• Inspections and Surveys the insurance company has a right to do

It is important to abide by these conditions as failure to do so can lead to a denial of a claim.

Exclusions

You can find the exclusions right after the insuring agreement.  While this section is written in legal terms, it is important to understand what events and circumstances are not covered in your policy.  It is especially important to understand this because you may need insurance for something that is excluded, and therefore will need to purchase an endorsement.  

 Ultimately, you want to try to read your policy over two or three times to get the basic gist of what is covered and what is not.  You owe to yourself and the security of what is being insured to understand your policy.  If you can’t understand it after a couple of tries, give your agent or broker a call and to get an official answer.