A new white paper from the Insurance Information Institute (I.I.I.) delves deeply into the growing risks posed to businesses by cyber attacks, providing hard data and exploring solutions such as cyber liability coverage and how adequately (or inadequately) businesses are protected from cyber attacks by insurance.
The 27-page report, Cyber Risks: The Growing Threat, notes that neither a commercial general liability (CGL) nor a standard business owner’s policy(BOP) generally offers coverage after a cyber attack, a risk that has garnered a lot of attention due to a spate of recent high-profile incidents. The2014 Allianz Risk Barometer Surveyfound that cyber risks ranked eighth (up from 15th the year before) when Allianz did its annual survey of global business risks, the first time the issue made it onto their Top 10 list.
Allianz noted that companies increasingly face new exposures to first- and third-party liability and business interruption from cyber attacks or disruptions, with loss of personal data and theft of intellectual property being major concerns.
Stand-alone cyber risk policies cover many of the expenses that emerge from the cyber theft of personal information, or trade secrets. The coverages include:
• Business Interruption: Covers loss of business income resulting from a cyber attack on a company’s network that limits its ability to conduct business.
• Criminal Rewards: Covers the cost of posting a criminal reward fund for information leading to the arrest and conviction of a person(s) who has hacked a company’s computer systems.
• Crisis Management: Covers the cost of retaining public relations assistance or advertising to rebuild a company’s reputation after a cyber attack.
• Cyber Extortion: Covers the monies expended to settle an extortion threat against a company’s cyber network, as well as the cost of hiring a security firm to track down and negotiate with blackmailers.
• Data Breach: Covers the expenses and legal liability resulting from a data breach, such as the costs needed to comply with regulatory requirements, or to address consumer concerns. The I.I.I.’s white paper cites three high profile cyber attacks in the U.S. in 2014. One occurred at eBay (May), and the others at Michael’s Stores (February) and Neiman Marcus (January).
• Identity Theft: Covers the costs associated with creating an identity theft call center in the event customer or employee personal information is stolen.
• Liability: Covers defense costs, settlements, judgements and/or punitive damages incurred by a company as a result of a data theft, transmission of a computer virus, failure of its computer security system, as well as allegations of copyright or trademark infringement, libel, slander, and defamation.
Studies vary widely on the percentage of companies buying cyber liability coverage. The white paper mentions a 2013 annual survey jointly produced by Advisen and Zurich found that 52% of companies claim to purchase cyber liability insurance; a 2013 report sponsored by Experian and conducted by the Ponemon Institute stated that 31% of U.S. companies have a cyber security insurance policy; and two 2013 reports by Willis surveyed the U.S. listed Fortune 500 and Fortune 501-1,000 firms and in both reports, only 6% of companies disclosed that they purchase insurance to cover cyber risks.
Whatever the precise number of U.S. companies buying cyber insurance may be, the white paper says there is growing evidence that in the wake of the Target data breach and other high-profile breaches, the number of policies is increasing, with one legal expert describing the Target data breach as “the equivalent of 10 free Super Bowl ads for insurers selling cyber policies.”
The I.I.I.’s Cyber Risks white paper was co-written by Dr. Robert Hartwig, president of the I.I.I. and an economist, and Claire Wilkinson, author of the I.I.I.’s award-winningTerms+Conditionsblog.
The I.I.I. is a New York-based nonprofit communications organization supported by the insurance industry. For more information call 212-346-5500 or visit www.iii.org.