By Chris Christian, CIC, RPLU
Most insureds who are aware of cyber coverage think immediately of large retailers and credit card breaches or of healthcare systems and patient information being stolen. These are certainly valid examples of cyber exposures, but if an insured doesn’t have similar information at risk, they often assume a cyber policy cannot do anything for them. They would be wrong. Let’s explore a few areas where a cyber policy can provide significant value to a business-to-business insured.
Corporate data privacy liability
Even though there are no major regulations that protect the privacy of a corporation’s data, the corporation still has a reasonable expectation that information shared with another in order to conduct business will be treated with care. A confidentiality agreement may exist, defining and documenting those expectations. If an insured loses control of its corporate clients’ information, the harmed parties can easily bring a claim against the insured, just as a consumer would do to a retailer or other entity that lost control of the consumer’s data.
The success of this kind of claim remains to be seen, as there are no headline-grabbing class action suits that make it easy to track. If there is a confidentiality agreement, we have a clear breach of contract issue, which a cyber policy should address. Without one, there can still be an action in tort, and the insured will benefit from having a cyber policy, regardless of the specifics of their relationship with the client.
It’s important to note here that policies vary widely in the types of corporate information they cover, so you must check the wording to be sure it applies to your insured’s situation. Many policies also require a confidentiality agreement for coverage to apply, so tread carefully with them if your insured has simple contracts, purchase orders, or handshake agreements.
We all remember the huge Target breach that occurred in 2013, and you may recall that the hackers gained access to Target’s system through one of the company’s refrigeration vendors. Rumors swirled at the beginning that the vendor had access to in-store system controls, but that was not the case. They simply had access to an administrative portal used for conducting business with Target. However, that was enough. The hackers got the vendor’s credentials, worked their way into the Target payables system, and after several months of traipsing through Target’s infrastructure finally made their way into the areas where sensitive data was stored.
The vendor did not store, process or manage any Target customer data. However, they were responsible for the hacker access that led to the breach of 41 million consumers’ data. That’s a bad day at the office, right there.
Because the breach arose from the vendor acquiring malware (a breach in network security), a cyber policy that included “unauthorized access” in its network security coverage would likely have provided protection to the vendor for any claims brought against them by Target. Such protection would probably not have been sufficient to make much of a dent in Target’s damages, but it would at least have provided the vendor with some resources to defend itself or negotiate a settlement.
It’s important to note that not all cyber policies cover “unauthorized access” as a cause of loss. Some cover only the transmission of a virus or malware (which did not happen, in this case) and denial-of-service attacks. If a policy covers damages arising from “harm or hacking” or from “unauthorized access,” then it would likely respond to this kind of scenario favorably.
Business Interruption/Extra Expense/Reputational Harm
If an insured is automated in any appreciable way, business interruption features of a cyber policy can be quite valuable. Some of the benefits will overlap with an EDP policy or endorsement, if the insured carries such coverage.
Today’s cyber policies fall short of covering business interruption arising from damage to equipment or inventory caused by a cyber event, but damage to the insured’s system itself (software and data, not the hardware) itself triggers coverage.
Additionally, many policies are now incorporating “system failure” into their business interruption trigger, which provides for coverage if the system just isn’t working right, regardless of whether the insured can identify a cyber attack as the problem.
The most frequent cause of a business interruption claim right now is ransomware. Carriers will sometimes agree to reimburse the insured for a ransom payment, but most policies do not have an affirmative coverage grant for such payment. There is some question as to whether payment of ransom violates the OFAC regulations regarding payments to sanctioned countries, depending on the originating point of the ransomware or demand. The more common outcome is for the carrier to pay to rebuild the insured’s system and restore or reconstruct the software and data. That can be time consuming and expensive and having a cyber policy can be the difference between continuing to operate or going bankrupt.
If a breach or ransomware attack becomes known to the public, an insured may find themselves struggling to keep their customers or attract new ones in the subsequent months due to reputational harm. A good cyber policy will compensate an insured for anywhere from three to twelve months of business income loss due to such reputational harm.
Many insureds do not carry adequate crime coverage, and the normal employee dishonesty coverage provided on a package policy does not address the computer-related theft of funds to which most of our insureds are exposed these days.
Even a commercial crime policy with wire transfer fraud and computer fraud wording will respond only to very specific scenarios.
The cyber crime coverage provided on a cyber policy generally includes social engineering fraud, as well as a very broad grant regarding digital manipulation of funds, or similar wording that acknowledges the non-physical and fluid environment in which most of our financial transactions occur. Social engineering fraud, along with ransomware, is a very quickly growing component of the cyber criminal’s repertoire, and U.S. companies lost nearly $2 billion to social engineering fraud in 2019. Social engineering fraud is very susceptible to loss controls, so insureds do not have to feel completely powerless. But good controls, in combination with a bit of a limit on their cyber policy, are a great belt-and-suspenders approach.
As you can see, there’s a lot more to cyber than meets the eye, if one is focused on consumer data. It behooves us to step back and widen our perspective. The four areas detailed above are critical to your insured’s risk management planning, whether they choose to purchase insurance for the exposures or not.