The Identity Theft Resource Center (ITRC) is a nonprofit organization that provides information to the public with regard to identity theft. It also tracks data breaches and records exposed by compiling information from a variety of public sources. A breach is an event where an individual's name, plus Social Security number, drivers license number, medical records, or financial records could be at risk. The number of records exposed is the total number of individuals potentially at risk because of a particular breach. There have been 2,882 breaches since 2005, and over 498 million records have been exposed.

Business customers are particularly vulnerable. Although businesses represented only 35% of the
breaches, those breaches exposed more than 52% of the records.

For more information about these statistics and also to provide valuable prevention information
to your clients, contact:
www.idtheftcenter.org

Clients that do not have computers do not have cyber liability exposures. All others have a potential for loss. The potential depends on how they use computers in their operations. When confidential information is stored on a server, the exposure to liability because of a data breach is significant. When content is provided to customers, there is potential for libel, defamation, plagiarism, and other personal injury publishing issues. When computers are the lifeblood of the business, being hacked is a constant threat. Computers may even be held hostage until the demands of an extortionist are met. Cyber liability coverage responds to all of these and other potential losses

Here is a possible loss scenario:

Carolyn's Pharmacy has a problem. Someone hacked into its computer. A virus is destroying records, but even worse, patient records were stolen even before the virus started its destruction. Carolyn received a note demanding the amount she must pay to remove the virus and restore the records.

Carolyn is also incurring significant extra expenses because she cannot access any of her records. Her expenses will really skyrocket if her customers' records are compromised.

When she calls her agent and asks for help, he informs her of the numerous provisions in her policy that exclude coverage for most electronic data issues.

Cyber liability is evolving because electronic communication is evolving. In 2005 the Insurance Services Office (ISO) developed a standardized coverage form called the E-Commerce Program, and it has already been updated twice since it was introduced. Many carriers that write this coverage developed their own coverage forms so they could quickly modify the coverage as exposures change.

Our experts state that most carriers provide cyber liability coverage on a nonadmitted basis. This allows for the quick innovations and significant pricing flexibility required in such a rapidly changing marketplace.

Carriers that write this coverage include Philadelphia Insurance Companies, Travelers, Hiscox, Markel, CFC, Beazley, Chartis, Lloyd’s of London, Axis, OneBeacon, XL Insurance, Chubb, CNA, Great American, Crum & Forster, Hudson Specialty, Hartford, and Specialty Global.

Who needs this coverage? According to Matt Prevost, product manager: cyber and professional liability at Philadelphia Insurance Companies, “Any business that uses the Internet or operates an intranet needs some form of cyber or privacy coverage.”  David Derigiotis, director of professional lines at Burns & Wilcox, adds, “Any business that has customers and maintains files or a database that contains sensitive information has an exposure. Sensitive information can be as simple as an email address, home address, first and last names and, of course, Social Security numbers and credit card information.”

Steven Haase, CPCU, ARM, president of INSUREtrust.com LLC, says, “At a minimum, all companies have an exposure to theft of employee information, website content, rogue employee issues, phishing attacks, domain name disputes, etc.” Tim Francis, business insurance management and professional liability and cyber insurance lead at Travelers, states it quite simply: “Any business, as well as any nonprofit organization, that uses technology is exposed to cyber risks.”

The coverage forms and policies available to cover cyber risks are moving beyond security-only issues. Carriers are introducing package policies that include both first- and third-party coverages. Mr. Haase lists eight key elements of cyber liability coverage:

• Security and privacy liability
• Website content coverage/intellectual property and domain name coverage
• Virus coverage
• Civil regulatory actions
• First-party coverage for breach notifications, forensics, and credit monitoring expenses
• Cyber extortion
• Loss of data
• Loss of income due to loss of network resources

Jason Glasgow, CyberRisk product manager for Travelers Bond and Financial Products, provides a similar listing but breaks the grouping into first- and third-party coverages.

First-party coverage:

• Crisis management event expenses
• Security breach remediation and notification expenses
• Computer program and electronic data restoration expenses
• Computer fraud
• Funds transfer fraud
• E-commerce extortion
• Business interruption and additional expenses

Third-party liability coverage:

• Network and information security liability
• Communications and media liability
• Regulatory defense expenses

According to Mr. Derigiotis, “Key exposures are storing informational assets and the accessibility of that information. Informational assets include electronic and paper records that contain personal or confidential client information.”

Mr. Haase states: “Customers that are particularly vulnerable are companies with large amounts of sensitive personal and/or corporate information. These include health care companies, data aggregators, financial services firms, technology companies, payment processing firms, social networking sites, and entertainment companies. The greatest frequency is from virus damage, phishing attacks, and breaches that require sending notifications to potentially injured parties.”

Mr. Prevost says, “Severity is associated with major breaches because even the smallest nonprofit organizations have databases that include hundreds of thousands of records.”

“It can also be seen,” says Mr. Derigiotis, “with those operations that store credit card information and medical records. As the nature of this information is highly sensitive, the effects of it falling into the wrong hands can be very costly.”

Cyber liability is a term often associated with security breaches. However, Mr. Francis explains, “Cyber exposures go well beyond the issues associated with securing private information, and can extend to intellectual property and other concerns associated with what companies post on their websites, which could result in additional liabilities and other expenses. As a result, any company that stores personal information of employees or customers, or that even just relies on computer systems to conduct business, may have some cyber exposure.”

Coverage gaps are a major concern because cyber liability coverage is actually designed to fill in coverage gaps created by exclusions within standard coverage forms. Mr. Haase advises, “Be careful of exclusions for unencrypted data, intentional acts of employees, and data that is not in the insured’s care, custody, and control”.    Mr. Derigiotis adds, “Other serious coverage gaps are exclusions associated with contractual liability and fines associated with the payments card industry.”

This marketplace is extremely active. “We are in a very competitive marketplace, and the number of carriers competing for business in this space is at an all-time high. Pricing for cyber and privacy liability is more affordable than it has ever been,” explains Mr. Derigiotis. “At the moment, coverage is very broad and pricing is extremely competitive, and this will continue to be the case throughout 2011.”
 
Mr. Haase agrees, and adds, “Although the market continues to be soft, the rate of softening has slowed. There are a few markets that have been in this space for a long time and have started to tighten up. In addition, there are also some new players that are very aggressive and are driving prices down. Coverages continue to expand to address ever-growing privacy and security exposures.”

Customers are becoming increasingly aware of certain aspects of cyber liability coverage and may be particularly interested in exploring it. Mr. Prevost says, “As a result of frequent headline news on both large and small privacy breaches, small to mid-sized insureds are becoming increasingly aware of cyber liability exposures and coverages.”

Cyber liability exposures change as information technology evolves. According to Mr. Derigiotis: “A key emerging trend will be increased use of the Cloud for IT-related services. Businesses that use the Cloud are essentially outsourcing their network, applications, and/or other computer-based functions to be managed over the Internet. This is a cost-saving approach for many businesses, and it grants them 24/7 access to their outsourced provider for any troubleshooting tasks. Some concerns with this approach include loss of network control and security. Coverage is readily available for these exposures as we see an increased trend toward Cloud computing.”

Mr. Prevost explains that the changes are not limited to just the IT industry. They also include legislative issues. “New and emerging risks include those that may arise from current state legislative activity and application of existing laws. For example, the Song-Beverly Credit Card Act in California could have wide-ranging implications.”

Cyber liability exposures change constantly, and insurers must constantly evaluate those changes in order to provide much-needed coverage. Unfortunately, potential clients are not as aware as they should be of the potential dangers they face. As Mr. Haase says, “Selling cyber liability coverage puts you in the education business, and we have created a wide assortment of educational resources for our agents.”

The need for education also applies to any retail agent interested in selling this essential coverage.
Mr. Prevost says: “Just because an endorsement contains the words ‘cyber’ or ‘privacy’ or ‘data breach,’ it doesn’t necessarily equate to appropriate coverage. It is very important to understand the different nuances of what coverage is afforded and how/what is being sub-limited and coinsured.”