By Paula Green
Insuring against cyber risks is stoking the imaginations of insurance companies as the risks to multinationals expand. However, companies should check what policies cover them for.
Cyber risks are increasingly edging their way onto the agendas of corporate boardrooms, as more regulators and legislators on both sides of the Atlantic require companies to disclose their exposure to security risks and incidents of data breaches.
While disclosure requirements are nothing new, tougher regulations have been put in place over the past decade and are now on the books in nearly all 50 US states. The European Union has strengthened its Data Protection Directive, which has been in place since 1995, and government officials in Asia, Australia and New Zealand are strengthening their own laws.
When the US Securities and Exchange Commission issued new guidance on public companies’ disclosure of their cybersecurity risks last fall, the antennae of corporate board members and top executives went up. In its guidance, the Commission’s division of corporate finance noted that corporate executives must apply the same diligence and disclosure to cybersecurity risks that they apply when giving the investment community a heads-up on any other operational risk facing their company.
“There’s a growing awareness that cybersecurity is not just about losing a laptop, …it’s about lost revenue,” says Bob Parisi, a senior vice president with insurance broker Marsh’s Finpro practice in New York. “Corporate executives are more aware that they are dependent on technology and a technology disruption can interrupt their revenue stream.”
The risks to multinationals have expanded as the sheer volume of data transmitted electronically surges, just as companies increasingly outsource their computer services—so-called cloud computing—as a way to centralize their computing functions and manage their data storage needs. Coupled with companies’ greater use of social media for marketing and customer service operations and letting employees use personal mobile devices and laptops to carry out company business, the specter of greater revenue losses and liabilities from data breaches looms large.
COVERAGE IS EVOLVING
“There are no physical perimeters anymore,” says Jerry Irvine, chief information officer at Prescient Solutions, an information technology company in Chicago. Before, someone had to get on a corporate property, pass through security and then know the pass code to log on to a company computer. “Now someone from anywhere in the world sitting in the back seat of a car can access the company financial department’s data on your server. That puts your company, your employees and your clients at risk.”
“There’s a growing awareness that cybersecurity is not just about losing a laptop, …it’s about lost revenue”
– Bob Parisi, Marsh
Irvine also sits on one of the task forces of the National Cyber Security Partnership, a US public-private partnership meant to help secure the country’s information infrastructure. “The pace of hackers breaking into networks is increasing significantly faster than cybersecurity,” says Irvine, adding that companies need security devices able to scan a corporate system’s unknown vulnerabilities, not just the known cybersecurity risks.
Irvine, Prescient Solutions: The pace of hackers breaking into networks is increasing significantly faster than cybersecurity
Multinationals also need insurance to cover the inevitable losses. The bad news is that general property and liability policies won’t cover first-party losses or third-party liability claims stemming from cyber risks.
The good news is that there is plenty of capacity in the global insurance market and premium prices remain flat, with nearly 40 insurers offering multinationals protection through network security and risk insurance coverage. Contracts are generally written to provide a year of coverage, and limits of up to $400 million for each occurrence can be secured through a combination of primary and excess carriers.
Industry experts say the coverage has been evolving over the past decade as insurance companies accumulate more actuarial data, based on the loss history of various industries, each corporate customer’s use of technology and the corporation’s own level of security.
Kevin Kalinich, global network and cyber-risk practice leader at Aon Risk Solutions in Chicago, says the coverage details of a network security and risk insurance policy can be customized to fit the specific risks and financial needs of each corporate customer.
RISK TRANSFER MECHANISMS
Premium costs vary greatly and hinge on numerous factors, from the insured’s size, its type of business operations, its security and the amount of customer information it keeps on file and its use of third-party vendors to store its data or carry out computer operations. “A company operating an interactive website would differ from an online retailer taking in their customers’ personal identification information to a payments processor of business-to-business operations,” say Kalinich.
Kalinich, Aon Risk Solutions: The number of captives offering network risk insurance has expanded from two or three to 25
Premium costs could range from $10,000 per million dollars of coverage to $50,000 per million dollars of coverage. Large corporations typically take large retentions in the million-dollar range, while a small company would take a retention or deductible of $1,000, says Tim Stapleton, deputy global head of professional liability underwriting at Zurich North America.
Insurance captives offer multinationals another risk transfer mechanism. In the past three years, the number of captives offering network risk insurance has expanded from approximately two or three to 25, says Kalinich.
Whereas multinationals in the media and technology sector have purchased network security insurance since its inception about a decade ago, the growing concerns about the protection of privacy have prompted universities and companies in the healthcare industry to purchase the policies, Marsh’s Parisi says.
Retailers and financial institutions, which accumulate vast amounts of personal information from customers and wealthy clients, are some of the most frequent purchasers of this type of cover. But, whatever the industry, the use of the coverage is growing.
IT’S ALL IN THE NAME
Companies can thank their lucky stars that the policy details of cyber risk commercial insurance cover aren’t as unwieldy as the gamut of names it can go by. Although the core coverage provided by a specialized liability policy written to protect against cyber risks is fairly consistent, the names used for this type of policy is not. A sampling: cyber liability, network security liability, data breach liability, security and privacy liability, privacy breach coverage.
Tim Stapleton, deputy global head of professional liability underwriting at Zurich North America, says most policies are designed to cover costs resulting from data breaches involving the wrongful disclosure of sensitive personal information: names, addresses, social security and credit card account numbers and medical records. In some jurisdictions it would also envelop data on religious beliefs and political affiliations. They also cover costs associated with general violations of privacy regulations set down by federal, state or local laws or directives meant to protect an individual’s privacy rights.
First-party cover, for example, helps a company recover the expense involved in repairing its database of customers, should a computer hacker implant malicious code and damage it. The coverage should compensate a company for the cost of carrying out a forensics investigation and hiring technology experts to come in and rebuild the database. Business interruption costs from the temporary loss of information can also be insured, as can expenses related to cyberextortion.
Third-party protection is increasingly capturing the attention of executives. If a hacker penetrates a company’s firewall and taps into its database to sensitive customer data, a network risk policy covers the damages to those customers whose privacy was violated.
One of the latest innovations from insurers is a broadened business interruption trigger that may provide coverage for loss of income if an insured’s system suffers an outage due to a failure of technology, without the requirement of a failure of computer security. And coverage for risks associated with cloud computing is now available for losses suffered from the failure of an insured’s cloud provider.