In the last issue, Education Forum looked at the growth in product recall insurance and how it fits into the commercial landscape. In this issue, we look at another trending product: cyber-liability insurance. Like product recall, cyber-events can affect a company’s reputation and call for the use of both insurance and risk management tools.
With the growth in Internet usage and the expansion of connectivity, exposure to cyber-risk is on the rise for most businesses. From malware such as viruses and worms to hackers grabbing credit card details; and from denial-of-service (DoS) attacks to advanced persistent threats (designed to steal data over a long period) – the forms of cyber-attack are many and varied.
Defending a business against cyber-attack is difficult. Tools such as firewalls, authentication devices and anti-virus software are helpful – indeed, essential – but vulnerabilities can persist. It is virtually impossible to mount and maintain a comprehensive, fail-safe defence against the diverse and ever-evolving forms of attack.
Although it can be tempting to think of cyber-risk as a problem that mainly affects large US companies, Canadian organizations are far from immune. Separate reports released over the last two yearstattacks. In the past 12 months, high-profile cyber-crime events have afflicted US-based retailers Target and Home Depot, but also the Canada Revenue Agency and the National Research Council.
Costs and consequences
In this context, Canadian businesses increasingly need to be prepared for a cyber-event. The effects of cybercrime on a company can include direct financial loss (through fraudulent activity), indirect financial loss (such as through business interruption and the costs of restoring data and services), and the loss of intellectual property or other forms of competitive advantage.
Loss of data can also result in a company breaching its obligations under privacy and data protection legislation. This can lead to regulatory repercussions, such as fines, and can expose a company to the threat of litigation by affected customers.
But perhaps the biggest potential cost of cybercrime is the damage to business reputation and loss of customer confidence that can result. When an organization fails to protect its information intelligence, clients and other key stakeholders lose their trust in the organization.
Many companies have been slow to take these risks seriously, but media reports of breaches – coupled with evolving legislative requirements – are driving increased interest in cyber-security and cyber-insurance.
Cyber-insurance is available on a standalone, monoline basis. Some policies provide coverage that is limited to third-party liability expenses such as legal defence costs and regulatory fines. More comprehensive policies also include first-party coverage for the costs associated with a data breach (such as data restoration), and may provide access to services such as notification assistance, credit monitoring, communications and crisis management, forensic accounting and a range of legal services.
Some standalone cyber-insurance policies also provide business interruption coverage (or more specifically network interruption coverage) in response to denial of service attacks or for data losses, even those that involve no physical damage.
Cyber-insurance is also provided through endorsements to existing policies – such as errors and omissions (E&O) policies, commercial general liability policies or regular business interruption policies. So far, endorsements have been a more popular option in Canada than standalone cyber-policies.
While the endorsement route can appear flexible, allowing clients to add clauses that fit their needs without putting a separate policy in place, policies that were not designed for cyber-risk may not always provide the level of cyber-security protection that a given business expects. Adjusters handling a cyber-claim under an endorsement to another type of policy will need to review the policy carefully to check for issues such as high deductibles or sub-limits on first-party exposures.
Work in progress
Cyber-insurance is still a fairly new offering, and coverages vary from policy to policy. For example, a policy may or may not contain exclusions for failure to maintain systems, software or risk controls. Coverage of legal services might be focused on defence expenses or might also include alternative dispute resolution services such as arbitration and mediation.
As high-profile cases raise awareness among consumers and business leaders about cyber-threats, businesses may feel increasing pressure to tackle cyber-risk as a strategic issue with potentially serious consequences for business reputation and business continuity – and the market for cyber-insurance is likely to expand as a result. For claims professionals, learning about these new coverages and developing approaches to these complex, multifaceted claims could provide a stimulating opportunity to develop a new area of expertise.
Cyber-risk is an exposure that is not well understood and is changing very quickly, with significant implications for insurance products, claims and liability cases – and also for the internal data management practices of adjusters, insurers, and all other industry participants.
To contribute to a better understanding of this emerging exposure, the CIP Society has commissioned a white paper exploring the implications of cyber-risk for the p&c insurance industry in Canada and addressing its potential impacts on commercial insurance and cyber-liability coverage. The white paper, which will include recommendations for the industry, is to be published in spring 2015.
Crime and Carelessness
Although recent high-profile cases of data loss and privacy breach have involved cyber-attacks by hackers, sensitive data can also be lost through other means. For example:
• theft of a laptop
• fraudulent conduct by an employee with access to information
• loss of a USB storage device
• improper disposal of information
Many cyber-insurance policies will cover some or all of these situations as well. For this reason, policies may be referred to by a broader description such as “cyber-risk” or “privacy breach”.
This article is based on excerpts from ADVANTAGE Monthly, a series of topical papers on emerging trends and issues provided to members of the Chartered Insurance Professionals’ (CIP) Society. The CIP Society is the professional organization representing more than 15,000 graduates of the Insurance Institute’s Fellow Chartered Insurance Professional (FCIP) and Chartered Insurance Professional (CIP) programs.