The answer is simple. The risks posed in today’s digital world mean a cyber event is more likely to cause catastrophic harm to your business than any other physical event.
Insurance is traditionally purchased for losses arising out of either property damage or personal injury. What the insurance industry has done for years is provide us with a very efficient method of transferring risk in a pre-internet world. However this basis of insurance is not fit for purpose when considering the risks posed by the digital age.
Insuring your losses resulting from a cyber event requires a specialist insurance solution. This is where Cyber Insurance is a fast evolving market and one which every organisation with a digital presence must become familiar with. In today’s world that means just about every business!
C-Level Executives and Risk Managers are becoming increasingly aware of the need to ensure their organisations are prepared for the financial risks posed by the digital age. In particular, the need to understand the latency of traditional insurance products which require either property damage or personal injury in order to trigger a loss.
More importantly any company director that is not fully informed around the rapidly emerging and evolving risks which the digital age presents, faces potential liability claims for not properly carrying out their duties as a company director by not appropriately protecting shareholder value.
The digital age is developing a complex risk profile which is surging at an alarming rate. A properly constructed Cyber Insurance programme is a critical part of managing this risk.
To understand the mechanics of a Cyber Insurance programme we need to split the risks into four categories:
- First Party Losses (Loss of Revenue or Expenses Incurred by Your Business)
- Privacy Regulation Defence, Awards & Fines
- Third Party Losses (Liability arising from a Privacy or Security Breach)
- Professional Liability (Optional Negligence Based Coverage for IT Professionals)
Read on further for a detailed explanation of the coverage provided by each section.
FIRST PARTY LOSS (LOSS OF REVENUE OR EXPENSES INCURRED BY YOUR BUSINESS)
Think of this in the pre-internet days as insuring your assets and any unexpected loss of revenue or expenses which may result from insured property damage event. For example, a factory would insure its building, plant and machinery and consequential loss of revenue in the event the business was unable to trade.
In the case of the digital age, it’s insuring against a loss your business sustains which is caused by a network failure or data breach resulting in a financial loss or liability to a third party. A Cyber Insurance policy will respond to this where as a traditional property based policy won't respond as there has been no physical damage to trigger the Business Interruption or Public Liability coverage.
The coverage provided by Cyber Insurance includes:
Income Loss and Interruption Expenses
This coverage provides for any loss of net profit as a result of a failure of your network (including your website) being inoperable due to cyber-attack or event. It will also extend to provide additional increased cost of working expenses associated with getting your business operational again following a cyber security event.
An important part of this coverage is to ensure your insurer’s policy wording extends to include networks which are operated by a Third Party provider.
Loss of Funds Due to Fraudulent Misuse of Data
This involves your organisations own funds wrongfully paid to an external party as a direct result of a third party targeted intrusion as a result of fraudulent alteration of data contained in the company's computer system.
There are examples of an organisation’s payroll system being manipulated in order to send pay runs to an unauthorised external bank accounts. Very few insurers offer this coverage so it is important to ensure you work with a specialist cyber risk and insurance broking firm who can advise you where this cover can be obtained.
Computer Forensic Investigation Costs
These are costs incurred with the Insurer’s consent for the purpose of retaining third party providers such as IT consultants, accountant, legal adviser or other third party providers to conduct a computer forensic analysis to investigate the cause and extent of an intrusion and whether an insured breach may be the cause. The role of the legal adviser is to also ensure that the report and its findings are subject to legal professional privilege.
Reputation Management Expenses
This is a critical element of properly protecting your business against the expenses of managing your organisations reputation following a cyber attack on your business.
Public Relations Expenses: These are costs incurred with the Insurer’s consent for crisis management of the event. The purpose of the expenditure is to ensure that the reputation of the Insured is properly protected from negative publicity while action is underway to determine what has happened and the Insured’s obligations to the affected individuals. The efficient and professional management of this process is important to reducing the likelihood of or the cost of claims and requires the preparation of a detailed management action plan.
Notification Expenses: The cost of notifying individuals and entities who have been effected by a Data Breach. This will usually extend to include disclosure of the breach to effected data subjects that are required both at law and voluntarily.
Identity Theft & Credit Monitoring Services: Costs incurred in engaging monitoring services by a third party for persons affected by a Cyber Event. This is to ensure that effected persons are not compromised by the use of stolen data to assume a person’s identity to open bank accounts and other financial mechanisms.
Cyber Extortion or E-Threat
Cyber Extortion or E-Threat where an organisation is held to ransom in respect of a threat made against an organisations system, records, data or the organisation’s ability to provide services. Think of the rising tide in Ransomware incidents involving open source encryption and you’ll have a need for this form of coverage.
Recovery of Damaged Digital Assets
Recovery of Damaged Digital Assets which includes the data and programmes within an insured’s network following accidental damage and/or destruction, administrative mistakes or a cyber attack / crime.
PRIVACY REGULATION DEFENCE, AWARDS & FINES
Australian regulators already have powers which hold organisation’s accountable for the way they store personal data. In March 2014 the Privacy Amendment Act bolstered these powers further with civil penalties of up to $340,000 for individuals and $1,700,000 for a body corporate. Coverage in respect of Regulatory Breach Liability will extend to:
Regulatory Breach Investigation & Defence Costs
In the event of an administrative or formal regulatory proceeding, a well constructed Cyber Insurance programme will provide coverage for all necessary costs and expenses associated with a formal investigation and legal defence arising out of a claim which is the subject of a regulatory proceeding.
Fines & Penalties
Cover may include payment of fines and penalties, where this is permissible under the law. A sub-limit is usually applied or will be otherwise inclusive of regulatory proceeding costs.
THIRD PARTY LOSS (LIABILITY EXPENSES RESULTING FROM WRONGFUL ACT)
This section provides cover for claims made by a third party against your organisation. It is triggered by what is defined as a “wrongful act” which can include errors, acts, omissions, neglect or breach of duty which results in liability to a third party. In the event of a cyber attack, third party losses can extend to the following:
Coverage can be provided in respect of any liability against the insurance in respect of the infringement of any right to privacy for personally identifiable information in any form. This form of coverage also extends the actual or alleged Breach of disclosing corporate information being Third Party's business secrets or professional information.
This coverage provides organisations with protection against claims which may arise from the failure to maintain the security or confidentiality of personal identifiable information in any form. This can include the following areas of risk / intrusion as a result of failing to maintain the security of the computer system:
- Allowing access by unauthorised persons.
- Loss and/or destruction of Electronic Data.
- Denial of Service Attack Directed Against a Third Party's Computer System
- Transmission of Malicious Code to a Third Party's Computer System
Coverage extends to provide defence costs incurred in respect of the investigation, defence, settlement or appeal of any claim.
Electronic Media Liability
Liabilities can arise from an alleged breach or alleged negligence in failing to maintain the security of their network and allowing access by unauthorised persons resulting in the electronic publishing of material through electronic means that defames a person or organisation or disparages their products or services.
THIRD PARTY LOSS (NEGLIGENCE BASED)
This section is more aligned to a traditional Professional Indemnity policy. The coverage is designed to cover the insured against any third party claims arising from an alleged breach of professional duty.
There are a number of specialist IT Liability Insurance products in the market which cater specifically for the unique risks associated with Information and Technology Professionals. Coverage can be extended to included performance based contractual liability and liability assumed in contract in the form of indemnity agreements and the like.