Mind the Gap
Be alert for coverage pitfalls and be sure your clients are appropriately protected
Although data breaches are becoming increasingly commonplace, many small business owners still believe that cyber criminals would prefer to go after large companies such as Target, Home Depot, and Equifax.
Knowing how criminals conduct their business is just as important as understanding the insurance needed to remedy data breach situations.
They couldn’t be more wrong. Verizon’s 2017 Data Breach Investigations Report stated that 61% of the business affected in the study had fewer than 1,000 employees. The report also noted: “It’s not just household brands that find themselves on the cyber spies’ hit list. Start-ups are targeted for their breakthrough technology. More established companies fall victim for their sales lists. And others are identified as a soft target useful as a stepping stone to their partners’ systems.”
At this point you’re likely thinking: “I get it. Cyber liability insurance is important, and I’m going to do a better job of selling it this year.”
But do you really know what you’re selling? Are you aware of some of the pitfalls associated with cyber liability insurance policies?
Before we explore those issues, let’s look at some new ways in which criminals are accessing data.
John Immordino, CIC, CRM, RPLU, vice president of Arlington/Roe, teaches a cyber liability course as part of The National Alliance’s Ruble Graduate Seminar program. I recently attended the course and was relieved that many of the hot-button issues I have focused on in this area are the same issues that Immordino addressed. I wasn’t prepared, however, for some of the cyber crime techniques he shared with the class.
If you’re like me, you’ve fallen into the trap of thinking most data breaches are the result of a deliberate computer system attack or concentrated efforts such as spearphishing (see the December 2017 issue of Rough Notes for more information on this method). The truth is that it’s not difficult for criminals to access a computer network.
For example, Immordino explained that criminals are leaving flash drives in parking lots and at office building entrances. Why? There’s a good chance that someone will pick up the drive and out of curiosity will plug it into a computer to see what is on it. Once that occurs, malware is immediately loaded onto the computer and the network can be breached.
Another technique is for a twenty-something to enter an office with a coffee-stained resume in hand. He or she looks panicked and tells the receptionist that he or she has an interview at another office in the building but accidentally spilled coffee on the resume. The person then asks if it would be too much trouble to have a clean copy printed from the flash drive he or she happens to have on hand. The unsuspecting receptionist, pleased to be doing a good deed, plugs the flash drive into his or her computer and exposes the network to malware.
Identity theft insurance is vulnerable to procedural gaps that can affect any kind of business. Knowing how criminals conduct their business is just as important as understanding the insurance needed to remedy data breach situations. I’ve provided only a small sample of popular hacking techniques; you’d be wise to research other methods and how to defend against them.
Coverage issues
Several specific coverage areas are easy to overlook in cyber insurance policies. With no two cyber policies being structured the same, it is often difficult to dissect policies to ascertain how they would respond to different situations. The following information will help you focus on specific provisions that differ from one coverage form to another.
Issue One—Paper. Immordino surprised me when he stated that some cyber policies don’t cover paper. Our agency doesn’t sell a cyber policy unless it covers all forms of data (electronic as well as paper). I had assumed that the industry had adapted and was smart enough to realize that this exposure is critical.
Yes, you might have the occasional client who says his or her business is paperless and doesn’t have any personally identifiable information on paper. But is it worth the risk when policies are available that cover all forms of data—and the premium is essentially the same? You’ll be better served by selling policies that don’t restrict data breaches to the unauthorized access of electronic data. Make sure you’re covering paper records as well.
Issue Two—Cyber Extortion. Not only are criminals employing new techniques to access your data and potentially hold it hostage, they also are becoming smarter in their extortion methods. Bitcoin is among the preferred methods for cyber extortion situations; unfortunately most policies don’t appropriately address this exposure.
Immordino pointed out that, although most cyber policies address the peril of cyber extortion, some pay or reimburse ransoms only in dollars. If the criminal is demanding bitcoin or another digital currency, the policy might not respond.
Check the policies you sell to see how extortion payments are addressed. One policy that our agency offers defines extortion payments as “money, digital currency, marketable goods or services demanded to prevent or terminate an extortion threat.” You and your clients should feel comfortable with this definition or one that is similar.
Issue Three—Assessments. One coverage feature that is easy to overlook—unless you know what you’re looking for—pertains to assessments. These come into play in the event that a payment card information breach causes a bank or financial institution to issue new credit or debit cards to affected individuals and is given the resulting bill. Many of your clients and prospects likely face this exposure.
The language that addresses this exposure varies by policy; here is sample language from another policy form our agency uses:
“We agree to pay on your behalf any fines, penalties, and card brand assessments including fraud recoveries, operational reimbursements, non-cooperation costs and case management fees which you become legally obliged to pay your acquiring bank or payment processor as a direct result of a payment card breach first discovered by you during the period of the policy.”
Issue Four—Notification. A key cyber liability exposure is the cost of notifying affected (or potentially affected) individuals that a firm has experienced a data breach and that their personally identifiable information may have fallen into the wrong hands. A claim under this coverage can quickly erode limits of insurance and leave your clients woefully underinsured if they don’t have appropriate coverage.
Usually this coverage is subject to a traditional limit of insurance that decreases as notification costs are incurred. If notification cost isn’t a separate limit of insurance and instead is part of a single limit, there’s a good chance that the remaining limit will be inadequate to address all of the other expenses that result from a data breach.
There are a couple of ways to protect yourself and your clients in this area:
- Sell policy forms that have a separate limit of insurance for notification costs
- Sell policy forms that specify a number of “notified individuals” rather than a limit of insurance.
This method obligates the insurer to pay the cost of issuing notifications up to a set number of individuals, and the expenses are not capped at a certain dollar amount.
Issue Five—Reputational Harm. In the event of a data or payment card breach, your client is likely to suffer reputational damage. Reputational harm coverage will replace income your client loses as a result of the reputational damage caused by the breach.
The key element of this coverage is the length of time for which the coverage will apply. It’s not unusual for this coverage to be restricted to a 30- or 60-day period. Our agency has an insurer that offers a full 12 months for this coverage, so check with your carriers to see if longer periods are available.
Summing up
The best defense against a data breach is to have appropriate policies and procedures in place to safeguard your clients’ private data. A measure as simple as disabling USB ports on employee computers can play a significant role in preventing potential disasters. What’s more, employee training is critical.
The next best defense is to have a cyber liability policy in place that appropriately covers the exposures of your clients (and your agency, as well). Knowing how your clients operate and how data breaches might affect them will help you develop cyber liability programs that will provide peace of mind to them and you.
The author
Marc McNulty, CIC, CRM, is vice president of insurance operations at The Uhl Agency in Dayton, Ohio, and has been with the agency since 2001. He divides his time among sales, marketing, technology and operational duties. You can reach Marc at marcmcnulty@uhlagency.com