With near-daily headlines about the latest high-profile cyber breach, it’s no wonder that boards have dramatically increased their focus on cyber exposures, data security and privacy. While attention to cyber-risk insurance has spiked this year, far too many companies still seem to be operating on the false premise that IT can prevail in the war against hackers or that traditional coverage will adequately protect the company from this nontraditional, hyper- dynamic risk.
Hackers, who are often well organized and well funded, routinely circumvent defenses—and have demonstrated that they can do so at will. Even companies that specialize in security have been successfully hacked. Still believe your technological defenses are solid? Consider that spear phishing and other fraud-based hacking techniques take advantage of the weakest link in the security chain—your workforce.
With data breach lawsuits surpassing $100 million in damages, and the costs of investigation, notification and remediation potentially staggering, why aren’t more companies buying cyber-risk insurance? The biggest reason we can see is they mistakenly believe that the costs of class actions and the myriad expenses required to respond to a breach event would be picked up somewhere in their company’s traditional cadre of insurance policies.
- Commercial General Liability. Many companies have reported that they would expect their commercial general liability (CGL) policy to respond to cyber and data protection risks. Do they? CGL policies are designed to respond to third-party bodily injury and property damage claims. Data breaches are neither of these. CGL policies also respond to personal and advertising injury, false arrest, copyright infringement and wrongful eviction or entry claims. None of these protections affords express protection for network security and data breach incidents.
- Property. Property policies don’t fit cyber risks either. They are designed to respond to the loss or damage of tangible assets. As valuable as electronically stored information such as credit card numbers and trade secrets are to an organization and its customers, they are intangible.
- Fidelity. Traditional fidelity policies won’t provide coverage either. These respond to loss of money and securities, not data. And they don’t cover legal liability.
None of these conventional coverages are intended to address cyber risks. Depending on them to respond to data security or privacy events leaves a company and its stakeholders vulnerable. It also puts directors personally at risk.
If an event is not properly and promptly managed, a company could face a class action lawsuit, regulatory fines and penalties, and damage to its reputation. Its board may be exposed to litigation seeking to hold the members responsible for the mismanagement of a breach, disclosures about a breach or the potential impact from a breach, or the failure to put adequate safeguards in place.
All of this points to the need for board members to take an active role in moving their companies out of any murky gray area, with coverage designed expressly for privacy and security liability exposures. Effective coverage is readily available. Along with damages and defense costs, coverage can pick up incident-response costs. This includes the costs of notification and credit/identity monitoring for those whose information is compromised. It can also include legal assistance navigating the fast-changing regulations in this area, and public relations and crisis management consulting to help manage the media onslaught that can accompany an event (and that can make or break a company’s image in the marketplace).
In today’s environment, cyber-risk insurance solutions not only provide financial protection, they make an efficient, risk-mitigating response to a breach nearly turnkey. No company should be without them.
Mark Camillo is a vice president, professional liability, in the New York office of Chartis. Contact him at Mark.Camillo@ChartisInsurance.com.